The new fine print in wartime cyber insurance has thrown a wrench in the works. Do Boards of Directors Understand? No!

Cyber insurance is just one part of the fintech puzzle regarding risk management.

The Russia-Ukraine conflict has heightened cybersecurity worries. Insurance is a standard mitigating option against breach-related damages as firms internally dispute their digital security sufficiency. However, many policyholders are surprised to learn that a court decision of recent date may likely undermine cyber warfare petitions.

Merck secured a judgment against a prominent insurance company, Ace Insurance, in January 2022 concerning a 2017 NotPetya malware assault. It was $1.4 billion, which destroyed 40,000 corporate systems. Ace dismissed Merck’s claim because underwriters seldom cover ransomware as an “act of war” exclusions. The court decided against Ace, causing major insurers to change policy coverage conditions relating to cyber damages as soon as possible.

Limited coverage and increased cyber risk raise financial exposure, which seldom sits well with boards. As liability grows, CIOs, CFOs, and legal counsel must analyze cyber insurance — or risk receiving significantly less coverage than projected.

Changes in risk

Malware, such as NotPetya, often spreads well beyond its intended targets. When cyber victims seek restitution, it is sometimes difficult to identify and suit offenders. This is a significant driver of demand for and costs of cyber insurance coverage.

According to Reed Smith, Merck’s case should serve as a warning to policyholders in the market for new insurance or future renewals. Insurers have taken significant financial losses due to hacking claims. Underwriters expect to continue analyzing and scrutinizing policy wording with fresh zeal. It didn’t take long at all.

The Lloyd’s Market Association’s (LMA) Cyber Business Panel has issued four cyber insurance policy exclusion provisions that dramatically widen insurers’ protection against “cyber operations” initiated by governments or agents. These developing words correspond to new legal precedents in cybersecurity insurance.

The Merck case demonstrates how new cyberwar/terror dangers test the old understanding of the war in legislation. So said Chaim Saiman. He is a law professor at Charles Widger School of Law at Villanova University. At the same time, insurers maintained that the policy does not cover ‘hostile or warlike’ operations. These types of operations traditionally have been acts by governments or sovereign authorities using military forces — not cyberattacks.

Insurance case law supports a concept of war taken from international law. That is somewhat narrower than the use typical in journalistic and political situations, Saiman remarked. Courts exclude cyberattacks because they anticipate a shooting war. Moreover, courts emphasize that it only applies to harm inflicted in or around the combat zone. This makes it a tough match for cyberwarfare.

As a result, carriers will continue to work to exclude cyber coverage from standard-issue casualty and liability policies entirely. They will shift these risks to specially-designed policies. These specialty policies have pricing, limits, language, and exclusions to the complexities raised by cyber risk, according to Saiman.

With increased geopolitical dangers and dependence on technology, this requires executive attention.

Following that, the boardroom’s cyber concerns and checklists are extensive and expanding. Here are three practical steps that CIOs may take to prepare for the inevitable cyber insurance queries.


CIOs, CFOs, and corporate counsel should properly examine cyber insurance policies promptly and periodically in the future. Consequently, these periodic evaluations should record coverage changes. That is to say, they should evaluate insurance sufficiency, examine alternatives, and harness external expertise. Indeed, conduct evaluation changes using a framework developed with board support.

The Merck V. Ace decision should encourage policyholders to work with trusted brokers, according to Reed Smith. He says risk management professionals and coverage counsel should evaluate policy language. Indeed, the ‘act of war” exclusion is one of many terms that draw fresh scrutiny from the insurance industry.


CIOs should track how cybersecurity processes, controls testing, and breach responses comply with external guidelines. Also, track evaluations that a reliable source builds. That is to say, organizations such as the National Institute of Standards and Technology in the United States (NIST). This record will educate the board, guide IT organization rules and processes, and speed up yearly tech audits.

Notably, such files provide insurers and courts with proof of the reasonable efforts that are often required to get coverage and file claims. Chubb, for example, gives policyholders a 45-day grace period to repair software security flaws—such flaws recognized as “common vulnerabilities and exposures” in NIST’s database.

Notably, Chubb’s neglected software exploit endorsement states that after the 45-day grace period, risk-sharing steadily transfers to the policyholder. The shift happens if they don’t fix their vulnerability. CIOs’ credibility in among the Suits will erode if IT fails to achieve such rational insurance minimums.

Finally, the Securities and Exchange Commission gradually requires improved corporate cybersecurity disclosure. CFOs, audit committees, and regulators will depend heavily on CIO input, data, and opinions on cyber controls, breach response methods, and possible exposure during the coming year. Assessments of cyber insurance will unavoidably be crucial to such disclosure and future reporting.

There is no safety net. Not yet.

Cyber insurance rates are rising at an unprecedented rate — due to escalating digital dangers. Unfortunately, when cyber protections fail, many insureds may discover they have weak coverage and be forced to engage in expensive, useless legal fights. That’s a considerable cybersecurity gap that no board can afford. Who’s going to read the tiny print before it’s too late?

Featured Image Credit: Pexels; Thank you!

Brad Anderson

Editor In Chief at ReadWrite

Brad is the editor overseeing contributed content at He previously worked as an editor at PayPal and Crunchbase. You can reach him at brad at