Merck’s $1.4 Billion Insurance Win Splits Cyber From ‘Act of War’

By | October 3, 2023
Merck’s .4 Billion Insurance Win Splits Cyber From ‘Act of War’

Merck & Co.‘s victory in a legal dispute with insurers over coverage for $1.4 billion in losses from malware known as NotPetya is expected to force insurance policies to more clearly confront responsibility for the fallout from nation-state cyberattacks.

The multinational pharmaceutical company sued its insurers who had denied coverage for NotPetya’s impacts to its computer systems, citing a policy exclusion for acts of war. The 2017 malware attack was attributed to Russia’s military intelligence agency, deployed as part of a conflict with Ukraine.

New Jersey Superior Court Judge Thomas J. Walsh ruled Jan. 13 that Merck’s insurers can’t claim the war exclusion because its language is meant to apply to armed conflict. The ruling noted that insurers didn’t change the war language to put companies like Merck “on notice” that cyberattacks wouldn’t be covered, despite a trend of attacks by countries like Russia hitting private sector companies.

“The Merck decision is an important win for policyholders, especially in the current cyber threat landscape,” said Andrea DeField, a partner in the insurance coverage practice at Hunton Andrews Kurth LLP.

The New Jersey court was considering coverage under an all-risk property insurance policy, rather than under a cyber-specific policy. Both types of policies often contain exclusions barring coverage for war or warlike action.

Courts typically have applied such exclusions to traditional forms of warfare, which is why insurers’ initial denial of coverage for Merck’s cyber losses “raised the alarm” that insurers may be trying to broaden the exclusion’s reach, DeField said in an email.

Some non-cyber policies, such as property policies, have been revised since the NotPetya attacks to add robust cyber exclusions, DeField added, though war exclusions tend to make an exception for acts of cyberterrorism.

“Fortunately, many cyber insurance policies on the market still contain narrow war exclusions and appropriate exceptions that should preserve coverage for the vast majority of cyber incidents,” DeField said.

Industry ‘Reckoning’

The question of whether a cyberattack counts as an act of war is one piece of a broader insurance industry “reckoning,” according to Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

The cost of cyber insurance in the U.S. has surged as ransomware payments drive up claims, according to a recent report from broker Marsh McLennan. That’s made insurance underwriters ramp up their scrutiny of cyber policies, with insurers narrowing coverage for ransomware-related losses at companies that fail to demonstrate sufficient cyber defenses, the report said.

“This will hasten the urgency of those conversations,” Wolff said of the Merck case.

Another similar case involving Mondelez International Inc. will likewise test whether its insurer Zurich Insurance Group Ltd. must cover the fallout from NotPetya. The Mondelez case is ongoing in the Illinois Circuit Court for Cook County.

The two cases could have ripple effects not just for the insurance industry but for companies seeking coverage for hacks, according to John Reed Stark, a cybersecurity consultant.

Companies often don’t know what their insurance covers until they’re facing a cyber incident, Stark said. “That needs to change,” he said, adding that companies should carefully review their insurance policies as part of their incident response plans.

As insurers look to limit their exposure to cyber risks, especially ransomware, companies vulnerable to hacks “may not be able to rely on insurance to cover as much,” said Luke Tenery, a partner at StoneTurn, a regulatory, compliance, and investigations advisory firm. That means companies should be thinking about ways to manage more of the cyber risks themselves through defensive measures, Tenery said.

Merck’s lawyer Russell Hewit, founding partner of Dughi Hewit & Domalewski, didn’t immediately respond to a request for comment. A lead lawyer for Merck’s insurers, Philip Silverberg, partner at Mound Cotton Wollan & Greengrass LLP, also didn’t immediately respond to a request for comment. Insurers named in the Merck suit include units of Allianz SE and Zurich.

The case is Merck & Co. Inc. vs. Ace American Insurance Co. et al, N.J. Super. Ct., No. L-002682-18, summary judgment 1/13/22.