2021 Cyber Law & Regulation Outlook

Following up on our article on the most important cyber law developments of 2020, here are the most anticipated judgments and regulatory changes that are expected for 2021.

The Merck and Mondelez NotPetya Ransomware Cases

While there has been little public development since the arguably most high profile cyber law cases of Merck and Mondelez were filed in 2018, the judgments could have far reaching consequences for the property and cyber insurance markets.

Merck and Mondelez, both hit hard by NotPetya in 2017, have sued their respective property insurers who have refused to pay out citing war exclusion clauses in the wording of the policies.

While Merck and its captive have sued their over 20re/insurers, including Allianz and AIG (), who provided property and businsurance for $1.3Bn in losses in a New Jersey court, Mondelez has sued its insurer Zurich for $100 Mil in an Illinois court ().

Although NotPetya has been attributed to Russian state-sponsored agents by the Trump administration, there has been, of course, no formal declaration of war. The attribution of the attack is a crucial factor in the lawsuits. Without a clear attribution to a state sponsored actor, there is doubt whether the war exclusions will be binding.

These judgments will not only influence indirectly the cyber insurance market, but also will affect more directly the overall property and casualty insurance markets, as both claims are examples of silent cyber incidents where a cyber attack causes damage that are covered by another P&C non-cyber insurance policy.

There has been much progress in tackling silent cyber exposure in the four years since NotPetya, such as the Lloyd’s cyber mandate () that came into full effect in 2021. However, silent cyber is still a major problem which affects many traditional lines of insurance.

If the cases are decided for the insureds, the pressure to adopt more clear wordings will likely increase, which could paradoxically prove a blessing in disguise for the insurance market as a whole.

Crypto Currency Regulation

Newly confirmed US Secretary of the Treasury Janet Yellen stated during her Senate confirmation in early 2021 that is important to consider “[…] the benefits of cryptocurrencies and other digital assets, and the potential they have to improve the efficiency of the financial system,” and “we know they can be used to finance terrorism, facilitate money laundering, and support malign activities that threaten U.S. national security interests and the integrity of the U.S. and international financial systems.” ()

Although she slightly backtracked on her comments later, the message is clear and has also been echoed by ECB President Lagarde a few months earlier: cryptocurrencies could be heavily regulated in the near future, which in the context of cyber insurance would have tremendous consequences.

As Ransomware is, at least as of now, by far the most dangerous and worrying threat in 2021 and responsible for the steep increase in cyber insurance premium rates, a tighter regulation of cryptocurrencies could in the short-term make the payment of ransomware harder and/or more expensive. However, cryptocurrencies are on the other hand the key enabler and driver of the ransomware threat. If regulation goes so far as to ban cryptocurrency ransomware payments  altogether, the significantly reduced incentives and possibilities to monetize cyber crime could drastically reduce the overall threat landscape.

G&G Oil Co. of Indiana v. Continental Western Insurance Co.

In another silent cyber exposure case, the Indiana Supreme Court will in 2021 decide a ransomware case that occurred in November 2017. The G&G Oil Company of Indiana is suing its E&O insurer Continental Western Insurance over the denied coverage for a $34.500 payment made as ransom via Bitcoin to unlock their affected computers and servers ().

The E&O policy covered G&G against computer fraud, but Continental denied the claim because G&G did not purchase the available optional coverage for computer virus and hacking. The lower Indiana state court gave summary judgment to the insurer and dismissed the lawsuit by G&G holding that the ransomware demand did not entail any deceit and therefore was not a “fraud” within the computer fraud coverage.

G&G argued that the wording of the computer fraud coverage in the E&O policy  used the terms “fraud” and “fraudulently” that were not sufficiently defined and must follow “their plain and ordinary meanings,”,  including “unconscionable dealing,” and, thereby, provided coverage for the ransomware demand. It also argued that the phishing email tricked its employee into releasing the ransomware into the computer system.

Upon appeal, the Indiana Supreme Court held in March 2021 that the dispute should not be subject to a summary judgment and sent back to the trial court. The Supreme Court accepted that ‘fraud’ could be “reasonably understood as simply ‘to obtain by trick.’”  However, the Supreme Court remanded the case the trial court so as to determine whether G&G’s computer systems were in fact obtained by trick on the basis that “not…every ransomware attack is necessarily fraudulent”.

Celso De Azevedo

Celso De Azevedo is a Barrister located in London specialized on reinsurance, cyber insurance, cybersecurity, data breach, cryptocurrency, fraud, asset tracing and business interruption insurance law. He is the author of “Cyber Risks Insurance: Law and Practice”.

Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.

References