Beacon Beacon Beacon Beacon Beacon

IRDAI LICENSE NO: 320 CRISIL RATED

news

Latest insurances policy and benefits discussion
13 Nov 2018
Cyber Attack Loss – A Big Loss But Insurable
admin

NotPetya ransomware cost Merck & Co more than $300 Mn per quarter

Brief about Merck & Co, Inc

Merck & Co, Inc is an American pharmaceutical company and one of the largest pharmaceutical companies in the world.

Headquarters – Kenilworth, New Jersey, United States

No of employees – 70,000 plus

Revenue – US$ 40 billion plus

 

Cyber attack – NotPetya ransomware

Petya & NotPetya are two malwares that affected almost all sectors in various countries in 2016 & 2017, respectively. Both malwares aim to encrypt the hard drive of infected computers. But, NotPetya is considered more dangerous as it has potential to spread and infect computers and also, it is understood as a state sponsored Russian cyber attack.

 

NotPetya ransomware’s effect on Merck & Co, Inc

According to new report (dated – 27th June, 2017) Merck & Co, Inc’s ability to supply its products got affected due to malware attack commonly known as “NotPetya”. Company’s e-mails were disabled, 70,000 employees were forbidden from touching their computers.

Merck has provided more detail about this attack. It stated that company has experienced a network cyber-attack that disrupted its worldwide operations, including manufacturing, research and sales operations. Further, the company said the attack had a $260 million impact on sales, $330 million impact on marketing and administrative expenses and production costs, and a $200 million impact on 2018 sales through residual backlog. Most operations were restored within six months.[1]

Besides loss of revenue (Business interruption) to Merck & Co. Inc, customers of Merck also got affected as manufacturing disruption resulted in shortage of product supply to customers. Although there is no evidence that disruption has created any risk to patients, it certainly raises concern.

One obvious effect was on its star HPV vaccine, which fell 22% and missed sales expectations by $100 million. On top of that, unable to produce enough Gardasil to meet demand; it was forced to borrow doses from the CDC’s stockpile to fulfil orders.[2]

 

Cyber Insurance as solution for incidences similar to one’s faced by Merck & Co, Inc–

Cyber Insurance policy is designed to pay various expenses for pre-loss prevention and post loss services. It also pays for damages awarded against Insured, along with defense cost incurred in defending claims.

1) Business Interruption – net profit loss cover

Because of Cyber incidence Insured may not be able to conduct normal operation which may last for weeks and few months. Business loss is major threat to Insured as it has direct and major impact on net profit of Insured.

Cyber Insurance policy provides cover for loss of net profit after cyber incident subject to excess (usually 12hrs or 24hrs waiting period as excess) till restoration of normal business operations.

2) Cyber Incident Response cover –

As part of response to cyber incidence, following expert teams may be required –

  • Cyber Forensic expert team – for cyber forensic investigation
  • PR agencies – for public relation consulting
  • Legal requirements – to defend Insured in Court of Law from claim brought by customers and other parties
  • Credit monitoring services – required to track customer’s critical documents to ensure documents are not misused.

Cyber Insurance Policy covers reasonable expenses and fees charges by these response teams.

3) System damage & rectification / Post-Breach Remediation Costs/Restoration cost cover – Cyber Insurance Policy will pay reasonable expenses of rectification of systems as well as restoration of data.

4) Digital Media Liability – Defamation or Intellectual property rights infringement – Cyber Insurance Policy pays for defense cost and damages awarded in defamation suits and IPR related suits (relating to or arising from cyber incidence) from customers.

Other major covers available under Cyber Insurance are –

  • Cyber extortion & ransoms cover
  • Computer fraud & Funds transfer fraud cover
  • Outsource service providers cover, etc.

Underwriting Information

Duly filled proposal form or application form is required to underwrite the Cyber Insurance Policy. Important information which are reviewed by Insurer to underwrite Cyber Insurance policy are –

  1. Business activity
  2. Detail of Gross online revenue for 3 years of Insured
  3. Geographical spread of Insured
  4. No of IP Addresses & active ID address of Insured
  5. Data Protection Policy of Insured
  6. IT Security plan
  7. DDoS attack preparedness by Insured etc.

 

Indicative Premium for Limit of Liability (SI) is mentioned as below-

Limit of Liability Premium
INR 5 Cr INR 5 Lakh
INR 10 Cr INR 8 Lakh
INR 20 Cr INR 12 Lakh
INR 50 Cr INR 23 Lakh

 

-Warm Regards

Beacon Insurance Brokers Pvt Ltd

[1] News Link – https://www.fiercepharma.com/manufacturing/merck-has-hardened-its-defenses-against-cyber-attacks-like-one-last-year-cost-it

[2] News Link – https://www.fiercepharma.com/manufacturing/merck-says-its-has-restored-most-its-manufacturing-hit-by-cyber-attack

Comments Off on Cyber Attack Loss – A Big Loss But Insurable

Comments are closed.