Merck & Co won a legal victory against insurers for the payment of $1.4 billion in losses from the NotPetya attack, signaling a major shift in the definition of cyber from traditional war exclusion.
Merck had sued its insurers after coverage was denied from an attack on the company’s computer infrastructure on grounds of policy exclusion for acts of war. The 2017 NotPetya attacks were attributed to Russia’s military intelligence, deployed as part of a conflict with Ukraine.
However, the ruling by the New Jersey court stated that Merck’s insurers could not claim the war exclusion because the language in the policy applied to armed conflict. Furthermore, the ruling also noted that the insurers did not put Merck “on notice”, that cyberattacks were not to be covered, despite the evidence of state sponsored cyber-attacks on companies.
“The Merck decision is an important win for policyholders, especially in the current cyber threat landscape”, said Andrew DeField, a partner in the insurance coverage practice at Hunton Andrew Kurth LLP speaking to Bloomberg Law.
The victory could prove to be short-lived as many non-cyber policies such as property, which was under review in the Merck court case, have been revised since NotPetya to now add cyber exclusions.
This is not surprising as the cost of cyber insurance, particularly in the US has skyrocketed on the back of large claims from ransomware payments according to a report by Marsh. The report notes that insurers have started to restrict coverage for ransomware-related losses at companies that fail to demonstrate sufficient cyber defenses.
In the period since NotPetya act in 2017, the global “affirmative” cyber insurance sector has grown to a $7 billion market.
At the end of 2021, the LMA issued new cyber war and cyber operation clauses favouring insurers with a broader definition of cyber activities that can be excluded from coverage. The use of “cyber operations” is particularly important as that covers activities which do not necessarily qualify as war.
It seems that while insurers are looking to limit their cyber exposures, especially with regards to ransomware, many corporates will be forced to take matters into their own hands. This will include reviewing and examining their own cybersecurity policies and implementing robust defense mechanisms to protect their operations and their customers.
While in previous times, many corporates would not be necessarily aware of their own cyber policies until in the aftermath of an attack, in an era where a cyber attack can inflict serious financial losses on an organisation, that will be a risk that many decision makers will not be willing to take.