The multinational pharmaceutical company sued its insurers who had denied coverage for NotPetya’s impacts to its computer systems, citing a policy exclusion for acts of war. The 2017 malware attack was attributed to Russia’s military intelligence agency, deployed as part of a conflict with Ukraine.
New Jersey Superior Court Judge
“The Merck decision is an important win for policyholders, especially in the current cyber threat landscape,” said Andrea DeField, a partner in the insurance coverage practice at Hunton Andrews Kurth LLP.
The New Jersey court was considering coverage under an all-risk property insurance policy, rather than under a cyber-specific policy. Both types of policies often contain exclusions barring coverage for war or warlike action.
Courts typically have applied such exclusions to traditional forms of warfare, which is why insurers’ initial denial of coverage for Merck’s cyber losses “raised the alarm” that insurers may be trying to broaden the exclusion’s reach, DeField said in an email.
Some non-cyber policies, such as property policies, have been revised since the NotPetya attacks to add robust cyber exclusions, DeField added, though war exclusions tend to make an exception for acts of cyberterrorism.
“Fortunately, many cyber insurance policies on the market still contain narrow war exclusions and appropriate exceptions that should preserve coverage for the vast majority of cyber incidents,” DeField said.
The question of whether a cyberattack counts as an act of war is one piece of a broader insurance industry “reckoning,” according to Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.
The cost of cyber insurance in the U.S. has surged as ransomware payments drive up claims, according to a recent report from broker Marsh McLennan. That’s made insurance underwriters ramp up their scrutiny of cyber policies, with insurers narrowing coverage for ransomware-related losses at companies that fail to demonstrate sufficient cyber defenses, the report said.
“This will hasten the urgency of those conversations,” Wolff said of the Merck case.
Another similar case involving
The two cases could have ripple effects not just for the insurance industry but for companies seeking coverage for hacks, according to John Reed Stark, a cybersecurity consultant.
Companies often don’t know what their insurance covers until they’re facing a cyber incident, Stark said. “That needs to change,” he said, adding that companies should carefully review their insurance policies as part of their incident response plans.
As insurers look to limit their exposure to cyber risks, especially ransomware, companies vulnerable to hacks “may not be able to rely on insurance to cover as much,” said Luke Tenery, a partner at StoneTurn, a regulatory, compliance, and investigations advisory firm. That means companies should be thinking about ways to manage more of the cyber risks themselves through defensive measures, Tenery said.
Merck’s lawyer Russell Hewit, founding partner of Dughi Hewit & Domalewski, didn’t immediately respond to a request for comment. A lead lawyer for Merck’s insurers, Philip Silverberg, partner at Mound Cotton Wollan & Greengrass LLP, also didn’t immediately respond to a request for comment. Insurers named in the Merck suit include units of
The case is Merck & Co. Inc. vs. Ace American Insurance Co. et al, N.J. Super. Ct., No. L-002682-18, summary judgment 1/13/22.