The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore's computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City's email system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $ 1
The net cost to Baltimore is still mounting. However, Baltimore is not alone. Damages sustained by victims of such attacks have been significant. For example, a similar incident called NotPetya caused Mondelez International, Inc., and Merck & Co. damages of approximately $ 100 million and $ 700 million, respectively – and, according to multiple sources, EternalBlue was a culprit in NotPetya also. Similar to Baltimore's system, NotPetya caused computers to freeze; as a result, employees could not access emails or files on the company's network, and other software programs crashed. Although NotPetya used EternalBlue to spread the malware, its effect was irreversible. To add insult to injury, some of Merck's and Mondelez's insurance companies are covered for their damages from the incident. Indeed, because the press reported that some involved Russia for NotPetya, the insurers invoked the "war exclusion" to deny coverage. In response to the denials, Mondelez and Merck sued their insurers. Both cases are currently in active litigation.
Traditionally, courts have applied the exclusions to "kinetic warfare" "- attacks that the ordinary person would consider an act of war. This conclusion arises as a result of factors such as whether the attackers were of uniforms, whether they were used physical weapons, or whether there was a governmental declaration of war. Courts have even considered whether involved individuals received medals for heroic acts. More recent court decisions rely heavily on an assessment of facts about whether a foreign government sponsored the attack. The factors that will drive decisions in the Merck and Mondelez lawsuits remain to be seen; however, with the cost of cybersecurity incidents on the rise, these raises serious questions for policyholders. Whether Baltimore seeks coverage for the EternalBlue ransomware incident and whether its insurers asserted any defenses, including the war exclusion, remains to be seen. Regardless of the issues raised by these and other ransomware attacks, they are required to know the scope of their coverage and to be prepared to respond to a recalcitrant insurer's coverage. Policyholders should review their insurance policies to identify and tailor wide coverage, like the war exclusion, and other commissions that could lead to coverage denials… will help ensure that coverage applies as expected and expedited to the insurer's response if or when a loss should occur.