Re-Insurance.com’s revelation earlier this week that Merck may still look to recoup hundreds of millions of dollars of cyber losses from insurers on its $1.75bn property program would see the bill for the US pharmaceutical firm’s NotPetya hit dwarf any other insured cyber loss.
It will also vindicate industry leaders – such as the former Lloyd’s performance director and now AIG chief underwriting officer for general insurance, Tom Bolt, as well as Stephen Catlin, the founder of the Catlin Group – who have repeatedly warned about (re)insurers’ exposure to so-called “silent” or “non-affirmative” cyber coverage, where protection is given as part of a wider policy that may not adequately price for the exposure.
In its annual 10-K filing earlier this year, Merck pegged costs related to the NotPetya attack a year ago today at $915mn. If the loss seeps into Merck’s vast $1.75bn property tower then it may have significant consequences for the industry.
It would also likely accelerate initiatives being taken by different insurers looking to understand their silent cyber exposures and ensure greater alignment between their dedicated cyber underwriters and their colleagues writing other classes where business interruption is a significant component of the cover.
But it could also lead to litigation over the wording and extent of coverage the policy offers – a scenario that Merck has itself acknowledged when it told investors that it had “insurance coverage insuring against costs resulting from cyber-attacks and has received proceeds.
“However,” it noted, “there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident”.
Those disputes - if they occur at all - will take time to develop. In the meantime, re-Insurance.com traces the largest cyber losses endured by (re)insurers in the relatively short history of coverage for the peril.
Regardless of the eventual claim - if any - against Merck’s $1.75bn property tower, the pharmaceutical company’s $275mn loss, which has been confirmed by PCS and is thought to have exhausted Merck’s cyber coverage, is already expected to be the largest cyber claim recorded to date.
Last year also saw the industry’s second highest loss after 145.5 million customers of credit reporting agency Equifax had their information compromised following hacks in May and June.
Equifax has pegged its own losses from the breach at $439mn, well above its $125mn of dedicated cyber cover.
With an insured loss of $30mn, an attack on Nuance Communications, added to the cyber claim bill for 2017.
That followed a profound reminder of the importance of policy wordings, which was handed to insurers in 2016.
That year, a July systems failure – rather than a malicious cyber attack – was sufficient for Southwest Airlines to claim $82mn on its cyber policy, led by AIG. Excess layers included Lloyd’s insurers such as Brit and Novae.
US medical insurer Anthem endured a massive cyber hack in February 2015 when 78.8 million people’s records were breached. It provoked a series of class actions which were settled last year at a reported cost of $115mn.
The $100mn cyber policy – led by AIG – was triggered, with insurers understood to have picked up the tab for $82mn.
Carriers were already reeling from another hack that had taken place a few months earlier. That time the target was Sony Pictures, which is understood to have claimed $110mn from insurers.
The hack followed three years after an earlier and now-infamous attack against the Japanese technology giant’s PlayStation network that led to a dispute with Zurich after Sony tried to claim under a general liability policy, which the insurer disputed. The pair eventually reached a settlement but the terms were not disclosed.
Two other high-profile cyber attacks were on US retailers, Target and Home Depot.
The attack on Home Depot in 2014 cost the firm’s cyber insurers $105mn after malicious software breached the company’s payment systems and led to the theft of debit and credit card details for and estimated 56 million of its customers.
While in November 2013, Target cost its insurers $90mn after a massive hack. The attack exhausted the US retail giant’s $100mn cyber coverage, which included a $10mn self-retention. The insurers were thought to include Chubb with a $15mn layer, AIG - which was understood to be in for $25mn - and Axis, with a $10mn line.
But as the cyber market approaches the 1 July renewals there is concern that growing competition is continuing to put pressure on pricing for affirmative cyber cover and forcing underwriters to expand terms despite these headline loss events.