When pharmaceutical giant Merck became a casualty of the far-ranging NotPetya cyber attack in June 2017, an assortment of its insurers refused to pay out. These insurers claimed that the incident was an “act of war” of the type frequently excepted from insurance claims, kicking off a years-long legal battle that has now resolved in Merck’s favor.
A New Jersey court has determined that Merck is entitled to over $1 billion in damages, and the case is likely to send the industry scrambling to update the terms of cyber policies. Insurers are now on much shakier ground in invoking the traditional definition of an act of war to deny a claim, and will have to specify that “remote consequences” of cyber exchanges between nations are not covered.
Ruling on NotPetya cyber attack draws clearer legal distinction between “acts of war” and incidental damage
The ruling will only apply as a matter of precedent for cases brought in New Jersey, but it is also likely to cause a ripple in the cyber insurance industry as firms look to get out ahead of what could be a new legal trend.
One element that policy shoppers should expect is new language specifically including “non-traditional” forms of warfare, a point that the judge in the case articulated in his opinion. Another is more specific language about “remote consequences” that stem from some sort of international conflict but that do not constitute a direct nation-state attack on the insured party. In the case of the NotPetya cyber attack, the damage to many companies was unintentional as the ransomware spread on its own beyond its intended targets in Ukraine.
Thus, insurance claims under existing policies are more likely to be successful in these sorts of cyber attack scenarios, but this is also likely to be a transitional period in which insurers update their terms and contract language in response. This will be nothing new in the cyber insurance industry, which has already been on a years-long pattern of contraction after ransomware damages spiked to incredible levels during the Covid-19 pandemic period. Terms are tighter, and insurance seekers are required to do more (in terms of demonstrating competent business security) to obtain any kind of coverage.
$1.4 billion in insurance claims owed to Merck
Merck’s insurance claims will cost a hefty amount as they cover tens of thousands of damaged computers, countless hours of remediation and assorted business costs from the devastating NotPetya cyber attack. The $1.4 billion bill is an example of why cyber insurers have been shying away from ransomware coverage, as attacks continue to be common and costs can very quickly balloon to astronomical levels.
The “acts of war” exceptions that are presently invoked in cyber insurance policies are now decades old, developed long before the internet or home computers were even concepts. The NotPetya cyber attack ruling is part of an emerging body of law that is forcing an update of these terms, and thus far it is largely playing out in favor of insurance claims. The New Jersey ruling illustrates that insurance policies have thus far been too ambiguous on act of war exceptions, relying too much on outdated industry expectations that courts do not believe apply to the modern cyber landscape.
One legal question that remains not fully resolved is that of attribution. When it comes to cyber incidents, the perpetrators nearly always categorically deny they are responsible (as Russia continues to do with the NotPetya cyber attack). There is also almost never any “smoking gun” evidence, so the attribution comes from governments and cybersecurity firms with varying degrees of confidence based on things like the malware and tools used, the sort of information the attackers focused on stealing, and the time zones and language used during attacks. Insurers are relying on this imperfect attribution to hold up in court, something that has yet to be thoroughly tested.