‘Cyber ​​War’ exception overturned in Merck’s battle with insurance company over NotPetya attack

A recent decision in New Jersey indicates that insurers may not be able to use “cyber warfare” clauses as an excuse not to pay for ransomware attack remediation. Pharmaceutical giant Merck was caught up in the 2017 NotPetya attacks, and insurer Ace American refused to cover the $1.4 billion in damages citing this exception.

The lawsuit was filed in 2019 and has just been decided in Merck’s favor, with the court agreeing that the “cyber warfare” clause could only be invoked if government agencies were clearly involved. As with most cyberattacks from Russia, attribution to its intelligence services is not made with “irrefutable” evidence, but rather with a set of secondary sources that the court has not found to meet the standard. .

Merck’s Victory in NotPetya Attack Case Sets High Standard for Attribution to Government Agencies

Merck held a $1.75 billion “all-risk” property insurance policy that included coverage for damage caused by cyberattacks. This policy seemed like a lifeline when the NotPetya attacks ripped through its network in June 2017, affecting 40,000 computers across the company and causing more than $1 billion in total damage.

However, a “cyber warfare” clause in the policy was invoked by the insurer to withhold payment. The insurer pointed to the attribution of the NotPetya attacks to Russia by the US and UK governments, with the cybersecurity community widely believing the attacks were initially aimed at antagonizing targets in Ukraine and became uncontrollable.

Merck argued that some facts did not entirely point to Russia being behind the attack, and that even if it was the “cyber warfare” clause, it could not be invoked without a clear and intentional act of war initiated by a foreign power.

The court noted that the wording of the policy was ambiguous and that in the event of ambiguity, the burden of clarifying an exception lies with the insurer. And if there is ambiguity, the court is bound to interpret the “ordinary meaning” of the words as they appear in the contract without engaging in “forced interpretation” in deciding whether to impose liability.

Under these terms, the court determined that “cyber warfare” essentially meant that there must be an actual, formal war between nations and an action must be directly related to it for the term to apply as it stands. is written in the contract. The ruling cited previous cases that decided not to define acts of terrorism and accidents in war zones, ruling that such acts must be specifically stated by the insurer if they are to be excluded.

The court therefore upheld Merck’s second argument that it had no reasonable expectation of withholding payment unless it was caught up in an actual act of war. Although there was enough expertise and domestic attribution of NotPetya’s attacks to Russia to convince the court that she was the perpetrator, this whole argument is rendered moot by the fact that Russia does not is not at war with the United States and did not necessarily intend to attack a US company with ransomware.

Jack Kudale, Founder and CEO of Cowbell Cyber, observes that insurance terms have changed significantly about on track with the increase in ransomware and cybercrime that accompanied Bitcoin’s first gigantic value spike: In just four years since 2017, cyber insurance has progressed dramatically. Critical elements needed to modernize the approach and achieve full alignment between policyholders and their insurers include: standardization of coverages, clarification of terms, advanced and ongoing cyber risk assessment, and transparency of the underwriting process . »

‘Cyber ​​warfare’ exclusions likely to be rewritten in the future

The court’s decision on the NotPetya attack won’t prevent insurers from including “cyber warfare” exclusions in the future, but new policies will likely contain longer, more detailed passages that account for all of these possibilities. In the meantime, existing policies with similar language will likely prove sufficient to cover attacks from countries with which the policyholder’s government is not officially at war.

Cybercrime has exploded in recent years, driving up the average cost of damage and therefore insurance costs. Insurance companies are looking to use every trick and tactic they can to reduce coverage, even as demand hits record highs. The “cyber warfare” exception has been widely used to specifically address soaring ransomware costs and the theft of sensitive information. However, insurers still largely cover acts of “cyberterrorism”; they’re just not in a rush to categorize ransomware and other for-profit attacks in this way.

John Bambenek, Principal Threat Hunter at Netenrich, notes a growing trend of burying these “loopholes” in contracts, but believes that organizations should focus more on defense than cover: “The growth of ransomware pushes the financial limits of insurance companies. they were looking for escape hatches. “Act of war” clauses are common in insurance contracts, but it is only in cybersecurity that there is a real risk. Organizations will need to build this gap into their risk mitigation plans, but the answer to cybersecurity has never been “more insurance” anyway. »

MeMerck argued that it was not entirely clear that Russia was behind the #cyberattack, and that even if it was, the #cyberwar clause could not be invoked without a clear act of war and intentional initiated by a foreign power. #cybersecurity #respectdataClick to tweet

Lloyd’s of London reportedly updated language governing ‘cyber warfare’ terms in policies just days before the Merck ruling was released. Several other cases of a similar nature are pending decision, including one involving food giant Mondelez which also involves damage from a NotPetya attack.