I received the following news in my email this morning from Joel A. Appelbaum, Executive Vice President & Chief Content Officer of International Risk Management Institute, Inc. I thought it was important enough to share.
Insurers have recently invoked the “war exclusion” to deny coverage for a cyber-security incident that caused policyholders significant damage. Specifically, Merck & Co., Inc., one of the largest pharmaceutical companies in the world, said its insurers denied claims related to the NotPetya cyber-security incident under commercial property insurance policies. Some of Merck’s insurers denied coverage principally based on the war exclusion.
Whether insurers will routinely invoke the war exclusion to deny coverage for cyber-security incidents comparable to NotPetya is essential—especially since these cyber attacks will likely become increasingly prevalent. Indeed, NotPetya reportedly affected companies such as conglomerate Maersk, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, and British consumer goods company Reckitt Benckiser. Other companies with substantial international operations, such as Roche, Marriott, and Lion Air, also confirmed that they were targeted.
Policyholders should take the steps necessary before being affected by cyber incidents to preempt a denial of coverage based on the war exclusion. To enhance the predictability of how the insurer will attempt to use the exclusion, carefully review the exclusion in proposed policy forms and inquire how the insurer intends to apply the exclusion before buying the policy. This proactive approach will also serve to define the scope the parties understand the exclusion to have.
Joel’s warning is a resounding “caveat emptor” to a business reviewing its coverage or considering a new policy. Consider discussing this with your agent the next time you meet. Before then, however, visit IRMI.com to find more about IRMI and the valuable insurance risk information they provide.