Merck company logo on website page showing NotPetya attack and cyber war

“Cyber War” Exception Struck Down in Merck’s Battle With Insurance Company Over NotPetya Attack

A recent ruling in New Jersey indicates that insurers may not be able to use “cyber war” clauses as an excuse to not pay out for remediation of ransomware attacks. Pharmaceutical giant Merck was caught up in the NotPetya attacks of 2017, and insurer Ace American refused to cover any of the $1.4 billion in damages by claiming this exception.

The suit was initiated in 2019 and has just been decided in Merck’s favor, with the court agreeing that the “cyber war” clause could only be invoked if government agencies were clearly involved. As with most cyber attacks originating from Russia, attribution to its intelligence services is not done with “smoking gun” evidence but rather a collection of secondary sources that the court did not find to meet the standard.

Merck win in NotPetya attack case sets high standard for attribution to government agencies

Merck held a $1.75 billion “all risks” property insurance policy that included coverage of damage from cyber attacks. That policy appeared to be a lifesaver when the NotPetya attacks found their way onto its network in June of 2017, impacting 40,000 computers across the company and causing over a billion dollars in total damages.

However, a “cyber war” clause in the policy was invoked by the insurer to deny payment. The insurer pointed to attribution of the NotPetya attacks to Russia by the United States and United Kingdom governments, with there being a broad belief in cybersecurity circles that the attacks were initially meant to antagonize targets in Ukraine and got out of control.

Merck argued that certain facts made it not entirely clear that Russia was behind the attack, and that even if it was the “cyber war” clause could not be invoked without a clear and intentional act of war initiated by a foreign power.

The court noted that the policy language was ambiguous, and in the case of ambiguity the burden of clarifying an exception sits with the insurer. And if there is an ambiguity, the court is required to interpret the “plain meaning” of the words as they appear in the contract without engaging in “strained construction” to decide on imposing liability.

Under these terms, the court determined that “cyber war” essentially meant that there needed to be an actual formal war between nations on and for an action to be directly related to that for the term to apply as written in the contract. The decision cited prior cases that decided against defining acts of terrorism and accidents that happened within war zones, ruling that acts such as these must be specifically spelled out by the insurer if they are to be excepted.

The court thus supported Merck’s second argument, which was that it did not have a reasonable expectation of payment being denied unless it was caught up in an actual act of war. While there might have been enough expert and national attribution of the NotPetya attacks to Russia to satisfy the court that it was the perpetrator, that whole argument is rendered moot by the fact that Russia is not at war with the US and did not necessarily intend to attack a US firm with the ransomware.

Jack Kudale, founder and CEO of Cowbell Cyber, observes that insurance terms have been changing substantially roughly on track with the rise in ransomware and cyber crime that came with Bitcoin’s first gigantic value spike: “In just four years since 2017, cyber insurance has progressed dramatically. Critical elements needed to modernize the approach and achieve full alignment between policyholders and their insurers include: standardization of coverages, clarification of terms, advanced and continuous assessment of cyber risk, and transparency in the underwriting process.”

“Cyber war” exclusions likely to be rewritten going forward

The court ruling on the NotPetya attack will not prevent insurers from including “cyber war” exclusions going forward, but new policies will likely have longer and more detailed passages accounting for all of these possibilities. In the meantime, existing policies with similar language will likely prove sufficient to cover attacks that originate from countries the policy holder’s government is not formally at war with.

Cyber crime has surged in recent years, driving up the average cost of damage and thus the costs of insurance. Insurance firms are looking to use any tricks and tactics they can to reduce coverage, even as demand grows to record levels. The “cyber war” exception has been widely used to specifically address the soaring costs of ransomware and theft of sensitive information. However, insurers still broadly cover acts of “cyber terrorism”; they’re just not in a hurry to classify ransomware and other for-profit attacks in that way.

John Bambenek, Principal Threat Hunter at Netenrich, notes a growing trend in these “escape hatches” being buried in contracts but feels that organizations should focus more on defense than on coverage: “The growth of ransomware is pushing the financial boundaries of insurance companies so they’ve been looking for escape hatches. “Act of war” clauses are common in insurance contracts but only in cybersecurity is there any real risk of that. Organizations will have to bake in this gap into their risk mitigation plans but the answer to cybersecurity has never been “more insurance” anyway.”

Lloyd’s of London reportedly updated the language governing “cyber war” terms in policies just days before the Merck ruling was passed down. Several other cases of a similar nature are pending decisions, including one involving food giant Mondelez that also involves damages from a NotPetya attack.