The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.
The net cost to Baltimore is still mounting. However, Baltimore is not alone. Damages sustained by victims of such attacks have been significant. For example, a similar incident called NotPetya caused Mondelez International, Inc., and Merck & Co. damages of approximately $100 million and $700 million, respectively – and, according to multiple sources, EternalBlue was a culprit in NotPetya also. Similar to Baltimore’s system, NotPetya caused computers at Mondelez to freeze; as a result, employees could not access emails or files on the company’s network, and other software programs crashed. Although NotPetya used EternalBlue to spread the malware, unlike the variant used in Baltimore, its effect was irreversible. To add insult to injury, some of Merck’s and Mondelez’s insurance companies denied coverage for their damages from the incident. Indeed, because the press reported that some involved blamed Russia for NotPetya, the insurers invoked the “war exclusion” to deny coverage. In response to the denials, Mondelez and Merck sued their insurers. Both cases are currently in active litigation.
Traditionally, courts have applied war exclusions to “kinetic warfare” – attacks that the ordinary person would consider an act of war. This conclusion arises as a result of factors such as whether the attackers wore uniforms, whether they used physical weapons, and whether there was a governmental declaration of war. Courts have even considered whether involved individuals received medals for heroic acts. More recent court decisions rely heavily on an assessment of facts about whether a foreign government sponsored the attack. The factors that will drive decisions in the Merck and Mondelez lawsuits remain to be seen; however, with the cost of cybersecurity incidents on the rise, these suits raise serious questions for policyholders.
Whether Baltimore seeks coverage for the EternalBlue ransomware incident and whether its insurers assert any defenses, including the war exclusion, remains to be seen. Regardless, the issues raised by these and other ransomware attacks, underscores the need for policyholders to know the scope of their coverage and to be prepared to respond if a recalcitrant insurer denies coverage. Policyholders should review their insurance policies to identify and tailor potentially overly broad exclusions, like the war exclusion, and other provisions that could lead to coverage denials… Being proactive before a loss occurs will help ensure that coverage applies as expected and expedite the insurer’s response if or when a loss should occur.