Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout
'The get-out-of-jail-free card option has been removed' as one expert put it
Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled.
A New Jersey appellate court this week upheld [PDF] an earlier decision that a group of insurers could not use the war exclusion in their insurance policies — despite the US and UK governments, among others others, attributing NotPetya to Kremlin-backed fiends — because the attack against Merck wasn't specifically linked to Russian military action.
The get-out-of-jail-free card option has simply been removed
The ruling means Merck may finally claim its $1.4 billion payout. And it's likely going to make it more difficult for insurance companies to use war as an excuse to not pay losses related to cyberattacks, according to industry watchers.
"The get-out-of-jail-free card option has simply been removed," Chris Gray, vice president at IT security house Deepwatch, told The Register.
The ruling will also undoubtedly affect the language used in underwriting policies, especially when it comes to risks such as ransomware and cyber warfare, said Peter Hedberg, VP of cyber underwriting at Corvus Insurance.
"The recent decision involving Merck indeed affects our line of coverage," he told The Register. "How it does cannot be evaluated this early, but we know it's important. This by no means establishes an underwriting guideline or an industry coverage position, but it does start to get the ball rolling in how we can create more certainty for policyholders."
NotPetya, not war
Back in June 2017, malware dubbed NotPetya – because it masqueraded as the Petya ransomware – exploded across the world.
While it at first targeted Ukraine, the software nasty also infected businesses in other countries across Europe, along with the US and Australia. One of those was Merck, which said NotPetya shut down its production facilities and critical applications, ultimately infecting more than 40,000 of the medical giant's computers.
At the time, Merck's property insurance program included policies that covered "all risks" with $1.75 billion in total limits above a $150 million deductible, according to court documents.
In January 2022, the Superior Court of New Jersey awarded the pharma titan $1.4 billion after Merck sued eight of its insurers over their denial of coverage for weathering attack. The insurance companies disputed having to pay $699,475,000, or about 40 percent of Merck's total coverage amount.
This week's ruling upheld the earlier court's decision.
"Here, the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider," the appellate bench said. "We conclude the Insurers did not demonstrate the exclusion applied under the circumstances of this case, namely, that this cyberattack was a 'hostile' or 'warlike' action as contemplated under the exclusion."
- Ritz cracker giant settles bust-up with insurer over $100m+ NotPetya cleanup
- Lloyd's to exclude certain nation-state attacks from cyber insurance policies
- Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay
- Cyber insurance model is broken, consider banning ransomware payments, says think tank
The decision represents a win for insurance policy holders, and will make it more difficult for insurers to use the war exclusion as a catch-all for government-linked cyberattacks, we're told.
"Put in combat terms, Ukrainian systems were targeted and everyone else was collateral damage. The recent ruling effectively says that this collateral damage 'happened,' but that the recipients were not targeted via an offensive act of war," said Deepwatch's Gray, who works with insurers on attack reporting and negotiations.
"There are undoubtedly political ramifications that prevent the term 'act of war' from being used broadly as well," he added.
'A blow' to war exemptions
GuidePoint Security's Mark Lance, VP of digital forensics and incident response and threat intel, told The Register that the ruling is "a blow to the way that they [insurance companies] are conducting business" with an increasing emphasis put on these act-of-war clauses.
Lloyd's of London last year said its insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not, beginning April 1, 2023.
Also in 2022, Mondelez International settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant's $100-million-plus cleanup bill following the 2017 NotPetya outbreak. Zurich had denied the snack giant's claims citing a similar war exclusion.
The Merck ruling "sets this precedent, where you have an attack that was associated with a certain region, but was not considered an act of war," Lance told The Register.
"Based on this ruling, I can't really think of any situation currently, where insurance wouldn't be required to provide the coverage or make payments," he said, adding the only exception would be if an insurer was able to directly link a cyberattack to the Russia-Ukraine conflict.
"Outside of that, for these more unique instances of ransomware or anything else, it's really hard to attribute back to a specific threat actor involved with a nation state," Lance said.
Meanwhile, insurance policies will need to adjust accordingly, Hedberg said.
Don't forget about ransomware
"As the world continues to virtualize, many products and services that rely on the kinetic world's laws will be confronted with the need to evolve," he said. "Insurance has always made clear war is uninsurable. A virtual war always inhabited the sphere of fiction and fantasy. We know the potential exists, and by some arguments is occurring."
While his firm's goal "has and will continue to be balancing public policy with the interests of insurers and policyholders," this becomes more difficult, and raises more questions, as the virtual and kinetic world become more interconnected, Hedberg said, citing ransomware as an example.
"Protecting our insureds is the reason they buy insurance," he continued. "Unfortunately, when that means paying a ransom that funds a hostile state-backed adversary it's not in the interest of our country. We anticipate continued development around it and hope a path exists to both protect our policyholders and deprive our adversaries the financial benefit of ransomware attacks." ®