Merck’s $1.4 Billion Cyber ​​Attack Claim: The Specter of NotPetya

Last week, a US state appeals court dealt a blow to a group of insurers that were relying on a war exclusion to avoid paying a portion of a $1.4 billion insurance claim from Merck, a victim of the cyberattack. NotPetya.

The appeal ruling is expected to add more fuel to a flurry of wording restrictions and exclusions, and a cyber insurance expert has said that if a NotPetya equivalent were to be hit today, it would likely trigger a lot of payouts.

In June 2017, NotPetya malware entered the systems of organizations around the world after infecting Ukrainian accounting software. The White House and others would go on to condemn Russia’s action against Ukraine over the cyberattack, which generated collateral damage in the billions, with affected business sectors in 65 countries reported. Among the biggest victims of NotPetya was the pharmaceutical giant Merck.

Now, the New Jersey appeals court has told Merck’s insurers that they might, in fact, be required to pay their $1.4 billion cyberattack claim, despite a “hostile action/warlike” exclusion. in Merck’s all-risk property policies.

One avenue for escalation remains within the US judicial system, which means the outcome may not be a foregone conclusion. Eight insurers are directly affected by the ruling, and many others linked to the lawsuit have already settled; 26 policies were originally in question. However, the industry has been carefully watching the outcome of this appeal following what has been seen as a disappointing end for food and drink giant Mondelez and the $100 million NotPetya war foreclosure case from Zurich insurer, which was settled out of court last November.

Merck NotPetya insurance appeal decision of the court to “set things in motion.”

The NJ appellate division said that the “exclusion of damages caused by hostile or warlike actions by a government or sovereign power in times of war or peace requires the involvement of military action.

“The exclusion does not establish that the policy excluded coverage for damages arising from a government action motivated by ill will.”

In addition, it said that “the plain language of the opt-out did not include a cyberattack against a nonmilitary company that provided accounting software for commercial purposes to nonmilitary consumers, regardless of whether the attack was instigated by a private actor or a ‘government’ or ‘government’. sovereign power’”.

However, before the court rulings, insurers “routinely” covered NotPetya claims from companies facing smaller losses than Merck. That’s according to Reed Smith’s partner, Nick Insua, part of a team that provided an amici brief in the case on behalf of United Policyholders.

“The language at issue in Merck has been used by insurers in one form or another since the 1950s, and the appellate division’s decision is consistent with the body of case law addressing similar exclusions,” he said. insurance business in the days following the decision of the appeal chamber.

While NJ’s statement “in no way establishes an underwriting guideline or industry coverage position,” it should “begin to put in place” greater certainty for policyholders, said Peter Hedberg, vice president of cyber underwriting at Corvus. , in a comment shared with Insurance business.

Last August, Lloyd’s sought to toughen the language around state- or nation-state-backed attacks in standalone cyber policies, having moved in 2020 to remove silent cyber from broader all-risk policies ( like the one at issue in New Jersey) through mandatory cyber opt-outs. or affirmative cover. While some brokers have spoken out against the latest change, other cyber insurance stakeholders, such as CFC head of cyber strategy James Burns, have said the new wording is only intended to “exclude attacks that are so catastrophe that destroy a nation’s ability to function.”

In a blog posted in April, defending Lloyd’s changesBurns said that because the NotPetya attack was not an attack on the US or one that had a major detrimental impact on the country, “American companies, like Merck and Mondelez, should have had clear and unambiguous coverage.”

Instead, Burns said, the lay of the land meant that “traditional broad warfare exclusions in both standalone and bundled cyber policies mean customers are at the mercy of what their insurer decides.”

Outside of the war issue, policies continue to be refined, with some cyber insurers going even deeper in an attempt to combat fears of systemic risk. For example, some may now not look kindly on covering a widespread OS infection where the “running bones” of a computer system are down. There has also been increased stress on policyholder cybersecurity measures, and debates continue about whether federal cyberbackups or other means are necessary to boost corporate cybersecurity.

A NotPetya type incident: many policies would pay today

Despite the changes, according to the recent ruling, it is likely that many current policies will still cover incidents like NotPetya, even if the insurers claim they were not created with this in mind and that exclusions were included. Others may have stricter language. It’s a mixed picture, and some insurers, particularly US domestic insurers, have been slower to “get on board” with underwriting changes, according to Steve Robinson, RPS cyber practice leader.

“Cyber ​​policies were not intended, nor are they designed to cover large-scale physical warfare, or when cyber operations are a tactical element of large-scale physical warfare,” Robinson said. “The new exclusions are designed to bring more clarity to that intent. However, many airlines cite NotPetya as a single incident type that was not part of physical warfare directed at Merck, as an incident type that would still be covered, even with the new exclusions.

“Of course, there are different approaches, so this would not apply to all operators.”

Those operators who currently exclude “simply nation-state attribution” could probably argue that any future NotPetya events could be excluded, according to Robinson.

“Ultimately, as cyber insurance matures, [insurers are] looking to provide good cover for… specific and unique attacks that can really be detrimental to an organization, while at the same time [the insurers] I also want to be clear that neither the cyber insurance policies nor any other type of policies were adequately priced to contemplate such a large scale event where there would not be enough capital to support the business if something were to happen,” Robinson said.

Cybersecurity vulnerabilities: The “perfect storm” that could lead to a repeat of NotPetya

It doesn’t take long for an organization to feel the full force of a cyber incident. On that fateful day in June 2017, 10,000 machines on Merck’s global network were infected with NotPetya within 90 seconds. Within five minutes this had doubled to 20,000. Ultimately, more than 40,000 machines were shot down.

More than half a decade later, vulnerabilities in many companies’ systems persist, even as insurers push for tighter security. RPS has continued to see complaints from large organizations, some of which have not had the segmented backups needed to restore systems, resulting in some seeing an expensive ransom payment as the “only option.” Meanwhile, the frequency of ransomware has increased again in recent months, although the propensity of organizations to pay attackers has decreased.

All that could stand between the world and a NotPetya repeat is “the perfect storm” of a software vendor without adequate security controls inadvertently passing malware to equally unaware customers, Robinson said.

The best attack can be a good defense, but even as cyber fortifications evolve, evil technologies are also being developed. Like cyber hygiene-conscious policyholders plugging security gaps, carriers may need to patch vulnerabilities and policy language errors for some time. In the meantime, regardless of the twists the courts may produce and the bad actors they may throw at policyholders and insurers, it is incumbent on agents and brokers to explain what the patchwork quilt of cyber policies means to customers, to stay aware of the exclusion. progress, and defend and meet the insurance needs of their clients to the best of their ability.