A US court has thrown out an attempt by insurers to avoid paying damages to Merck & Co. resulting from a devastating ransomware attack in 2017 that crippled over 40,000 computers across the company.
The pharmaceutical company was one of numerous victims of the NotPetya attacks that rippled across Ukraine and then beyond and which were attributed by the UK’s NCSC to the Russian military.
(The attacks made use of the National Security Agency’s EternalBlue and EternalRomance exploits, which the “Shadowbrokers” group had stolen and released as part of four sets of stolen NSA material.)
Merck & Co. had taken out $1.75 billion of property insurance to protect against losses. Its coverage included “destruction or corruption” of computer data and software, and claimed for damages against that policy.
The ransomware attack cost it a claimed $1.4 billion in losses.
Its insurers had argued however that the policy had an exclusion for “hostile or warlike action in time of peace or war [including by not just a sovereign power but] an agent of such government, power, authority, or forces”, that the NotPetya malware was an instrument of the Russian government, and the exclusion applied.
Legally, however, the burden of proof was on the insurer to show that the exclusion applied.
Ransomware attack on Merck: "Insurers did nothing..."
This week, they manifestly failed to persuade a judge of the merits of that argument.
New Jersey Superior Court Judge Thomas J. Walsh ruled Jan. 13 that Merck’s insurers – those named in the suit included units of Allianz SE and Zurich -- can’t claim the war exclusion because its language is meant to apply to armed conflict. (That's despite “cyber” increasingly being recognised as the fifth domain of warfare.)
As he put it bluntly in this docket, first reported by Bloomberg: “As Plaintiff correctly notes in its’ brief, no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein….
"Cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common”, he added. “Despite this, insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks."
Judge Walsh noted: “To avoid coverage ‘it is not sufficient for the all risk insurers’ case from them to offer a reasonable interpretation under which the loss is excluded; they must demonstrate that in interpretation favouring them is the only reasonable reading of at least one of of the relevant terms of exclusion”.
War exclusions in cyber insurance
The case comes as insurers aim to tighten up their war exclusion policies. The Lloyd’s Market Association (LMA)– a membership network for the influential insurance marketplace – in November 2021 for example published four alternative clauses to include in standalone cyber-insurance contracts. These have been drafted to meet Lloyd’s requirements, set out in July 2020, which state that “all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war”
The different clauses have been “drafted to provide Lloyd’s syndicates and their (re)insureds (and brokers) with options in respect of the level of cover provided for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state” the LMA said, noting that underwriters should closely “consider the coverage provided, their outwards reinsurance wording and the resultant impact on exposures across the portfolio” when choosing which clause to use.
The clauses offer subtly different approaches to how insurers cover cyber war exclusion.
One, for example, notes that a policy does not cover “any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly, occasioned by, happening through or in consequence of:
“1.1. war or a cyber operation that is carried out in the course of war; and/or 1.2. retaliatory cyber operations between any specified states leading to two or more specified states becoming impacted states; and/or 1.3. a cyber operation that has a major detrimental impact on: 1.3.1. the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service…
One of the clauses explicitly ensures “paragraph 1.3 shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset” – suggesting that other policies may not cover collateral damage of an APT campaign. (It defines “bystanding cyber asset” as a “computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.