Analysis & Opinions - Lawfare

Building a Cyber Insurance Backstop Is Harder Than It Sounds

| Feb. 26, 2024

Insurers argue that a government backstop would help them cover catastrophic cyberattacks, but it’s not so simple.

In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?

One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.

For more information on this publication: Belfer Communications Office
For Academic Citation: Schneier, Bruce and Josephine Wolff.“Building a Cyber Insurance Backstop Is Harder Than It Sounds.” Lawfare, February 26, 2024.

The Authors