Insurance companies cannot avoid liability by claiming that cyber attacks are an act of war, a US court has ruled in a significant verdict that paves the way for pharmaceutical giant Merck to claim $2 billion ($US1.4 billion) in damages from the 2017 NotPetya attack.

The New Jersey Courts Appellate Division decision, which pitted Merck against several insurance companies that appealed a 2022 verdict in the company’s favour, ruled that the “hostile or war-like action” exception in Merck’s cyber insurance policy could not be applied to malware attacks because the clauses “required the involvement of military action”.

Such ‘act of war’ exceptions are designed to limit insurers’ exposure to the widespread damage of conflicts between foreign powers – yet while the insurers’ lawyers argued that NotPetya emerged from the escalating conflict between Russia and Ukraine, the appeals court ruled that “coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit.”

Instigated by Russian cyber criminals who planted NotPetya malware in a Ukrainian accounting package, the malware quickly spread across the world to cause an estimated $15 billion ($US10 billion) in reported damages and halt many key supply chains as Merck and the likes of shipping giant Maersk struggled to recover.

Shortly after the attack, Merck reported a $350 million ($US240 million) sales drop because NotPetya’s impact on its supply chain meant it couldn’t meet customer demand, as well as a $200 million ($US135 million) revenue hit for lost sales.

The verdict is “an incredible blow for the insurance industry,” said Monica Oravcova, co-founder and chief operating officer of security firm Naoris Protocol, said as the verdict was announced.

“It will no doubt precipitate a flurry of activity in existing insurance industry underwriting practices,” she said, warning that the ruling “will impact not only insurers but the companies that seek cover… We can expect even tighter restrictions, exclusions, and possibly another spike in premiums.”

Your cyber defences determine your insurance eligibility

Cyber insurance companies have had a difficult few years, as what once seemed like a promising line of business became an underwriting nightmare amidst the realisation that premiums could not cover soaring ransom demands.

Since then, steep premium price hikes have helped cyber insurers better contain their exposure to cyber attacks – with some rejecting claims, many banning ransomware payments, and others requiring companies to implement laundry lists of technological and policy requirements.

Fully 95 per cent of respondents to a new 14-country Sophos analysis reported that their ability to get a cyber policy, as well as its price and terms, were all tied to the quality of their cyber defences.

“With cyber-attacks becoming increasingly sophisticated, insurers now demand increasing levels of risk management from businesses seeking coverage,” said Tom Salter, account executive with PSC Insurance, which recently joined technology service provider Somerville to prepare a checklist of security capabilities that insurers expect.

These include encryption of sensitive data; use of multi-factor authentication; comprehensive endpoint protection; regular and offsite backups; regular testing of backups to ensure they’re recoverable; scanning of incoming emails; user security training; admin checks to confirm changes in customer and partner details; financial checks such as requiring two parties to authorise outgoing payments over a certain amount; and patch management to ensure critical patches are installed as soon as possible.

“It is imperative to demonstrate to insurers that your business has a robust risk management system in place to secure the most appropriate coverage that meets the needs of your business,” Salter said.

Some 91 per cent of cyber security and IT professionals that Sophos surveyed reported having cyber insurance, while 695 respondents – 23 per cent of the total – said their company was insured and made a ransom payment in the last year.

Indeed, insured companies were four times more likely to have paid a ransom to recover their data – with large companies more likely to have policies.

Failure to take out cyber insurance has already created problems for companies like private healthcare insurer Medibank, which revealed last year that its decision to not buy cyber insurance had left it financially exposed to a massive cyber attack.

Medibank crowed that it had followed government guidance in electing not to pay the ransom, but with millions of Australians’ health records breached, the company now faces a series of class-action lawsuits – with the third such action lodged this month by Slater & Gordon.