Hi, what are you looking for?
Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.
The Superior Court of New Jersey Appellate Division has ruled in favor of Merck in its $1.4 billion claim against the insurance industry for denying payment for damages caused by the 2017 NotPetya cyberattack. Merck did not have separate cyber insurance, and instead relied on the ‘all risks’ element of its property insurance.
According to Merck, within ninety seconds of the initial NotPetya infection, roughly 10,000 machines in its global network were infected by the malware, and over 40,000 machines were ultimately infected across the company globally.
The insurers claimed that the property insurance was subject to a war exclusion clause, and the “exclusion is clear and unambiguous, and it plainly applies to the NotPetya attack.”
Judges Currier, Mayer and Enright have now disagreed, and declared, “We have addressed the exclusion in terms of the presented circumstances before us. And we have found the Insurers have not satisfied their burden to show it could be fairly applied to the NotPetya cyberattack. That is the scope of our review. Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”
This is an interesting position. While declining to accept the nation-state NotPetya attack as an act of war, they have also declined to define what type of cyberattack could be defined as an act of war.
But as far as this case is concerned, that is academic. The court concluded, “terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.”
David Cummings, a partner in the litigation practice group of Reed Smith (who authored an amicus brief filed by United Policyholders in the case), commented, “The Appellate Division’s decision is an important win for policyholders who continue to seek (and pay substantial premiums for) certainty with respect to their insurance coverage in the face of these often uncertain cyberattacks.
“In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations. On that score, the Court correctly determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers.”
Cyber is, however, considered to be a modern theater of war – and cyber changes faster than any other modern arena. Discussion will likely continue over the validity of applying historical definitions to the new world.
Nevertheless, continued Cummings, “The mere presence of hostile or warlike action is not enough where, as here, the underlying activity is commercial in nature, and the damage is not caused by a warlike attack directed at the policyholder. In sum, the Court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”
This may or may not be the end of the Merck case, but it is probably just the beginning of future arguments about what can or cannot be construed as a cyber act of war. A $1.4 billion payout is no small matter for the insurance industry and is bound to have future ramifications on the cyber – and property – insurance industry.
Related: Cyberinsurance Backstop: Can the Industry Survive Without One?
Related: Talking Cyberinsurance With Munich Re
Related: Lloyd’s of London Introduces New War Exclusion Insurance Clauses
Related: Court Awards Merck $1.4B Insurance Claim Over NotPetya Cyberattack
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.
Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.
Given the crippling effects ransomware has had and indications that these types of attacks aren’t slowing down, it makes sense to look to threat intelligence to help. (Marc Solomon)
Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization. (Matt Wilson)
How will Artificial Intelligence develop in the near term, and how will this impact us as security planners and practitioners? (Oliver Rochford)
Learning how to spot the signs of narcissism and identify narcissists will help us ensure that we do not bring these people into our security and fraud teams, or our enterprises. (Joshua Goldfarb)
An important area of differentiation to evaluate when you make your next security investment is the vendor’s effectiveness when it comes to customer success. (Marc Solomon)
Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.
The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.
All-in-one cybersecurity platform Guardz today emerged from stealth mode with $10 million in seed funding.
SecurityWeek spoke to Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, for the cyber insurers’ view of cyberinsurance.
CyberCube, a provider of cyber risk analytics for insurance companies, this week announced that it has raised $50 million in a new funding round…
Third-party administrator of insurance products Bay Bridge Administrators (BBA) is informing roughly 250,000 individuals that their personal information might have been compromised in a…
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.