When the NotPetya malware hit the pharmaceutical company Merck in 2017, it did massive amounts of damage. The malware affected 40,000 of the company’s computers, costing it more than $1.4 billion in losses. Because of the disruptions, the Merck production facilities couldn’t meet demand for the HPV vaccine Gardasil 9. To meet consumer need, the company completely wiped out the U.S. emergency supply of the vaccine by borrowing 1.8 million doses from the Pediatric National Stockpile. (The stockpile has since been replenished, though Merck had to borrow from it again in 2019.)
No surprise, then, that Merck, like many companies, turned to its insurance coverage to recoup some of the enormous losses NotPetya caused. Merck, in particular, had $1.75 billion in property insurance that it hoped would cover the computer damages and business interruption losses it suffered as a result of NotPetya. But the company’s claim was denied on the grounds that NotPetya was an act of cyberwar—because the malware had been designed and released by the Russian government as part of an ongoing conflict with Ukraine—and therefore was not covered by the standard property insurance policy. So Merck, like other companies that had been denied coverage for NotPetya-related damages on similar grounds, sued its insurers.
There haven’t been many clues of how courts would view these lawsuits until December, when, in a significant victory for the companies seeking coverage, a New Jersey Superior Court Judge ruled that Merck’s insurers couldn’t apply the exception in its policy for warlike acts to NotPetya. In a decision that has far-reaching implications for all insurers and policyholders considering how their policies may or may not apply to future state-backed cyberattacks, Judge Thomas J. Walsh wrote that the hostile or warlike acts exclusion in Merck’s property policy “is not applicable” to NotPetya.
To understand why this dispute has been so complicated and so fraught—stretching out now for several years—it’s helpful to understand what the actual exclusion in Merck’s policies says. The policies all have virtually identical language, Walsh notes, that excludes coverage for any: “loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual impending, or expected attack:
a) By any government or sovereign power (de jure or de facto) or by any authority maintain or using military, naval or air forces;
b) Or by military, naval or air forces;
c) Or by an agent of such government, power, authority or forces.”
Because NotPetya has been so repeatedly and exhaustively attributed to the Russian government, including by the governments of the United States, the United Kingdom, Canada, and Australia, among others, it’s pretty clear that it was an action by a government. It’s not even really disputed that the primary purpose of the NotPetya malware was to target Ukrainian infrastructure as part of the Russia-Ukraine conflict. What’s less clear is whether an act of cyber sabotage like NotPetya meets the criteria for being a “hostile or warlike action”—particularly when it hits targets like Merck that are completely irrelevant and peripheral to the tensions between Russia and Ukraine.
There have been earlier insurance disputes about plane hijackings or terrorist attacks and whether they qualify for coverage or fall under similar exclusions—indeed, Walsh cites some of those decisions in his ruling. But most of those decisions hinged on the fact that the terrorist groups involved were not recognized governments. For instance, Walsh cites a 2019 dispute between Universal Cable Productions and its insurer over whether its insurance policy would cover the costs of moving production of its television show Dig to a new location from its initial shoot in Jerusalem due to attacks by Hamas. In that case, the 9th Circuit Court of Appeals found that the war exclusion did not apply to the Hamas attacks because Hamas was not a “de jure or de facto sovereign.” Russia and Ukraine are both pretty clearly sovereign governments, so that logic is less helpful to Merck in this case—and may even be one of the reasons that the insurers believed they could win this suit in court.
But Walsh was not swayed by that logic. He points out in his ruling that “no court has applied a war (or hostile acts) exclusion to anything remotely close” to NotPetya before and that the insurers have not bothered to update the language in their war exclusions for years despite knowing that nations often initiate cyberattacks. “Both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common,” Walsh wrote. “Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks.”
Walsh was also sympathetic to Merck’s argument that it understood the exclusion to apply to situations that “involved the use of armed forces”—a bad sign for insurers hoping it can apply to cyberattacks in general. And he pointed out that earlier case law suggests that losses somewhat removed from the Russia-Ukraine conflict—like those suffered by a multinational company headquartered in New Jersey—are even less likely to be considered the direct result of a hostile or warlike act that was occurring on an entirely different continent. These are all promising signs for other companies, including multinational food company Mondelez, that are challenging their insurers in court over being denied coverage for NotPetya. But while this ruling may be good news for companies that are trying to claim coverage for other cyberattacks perpetrated by nation-states, it’s also a very clear signal of where the cyberinsurance market is heading.
Walsh’s contention that Merck’s insurers failed to update the language in their exclusions to apply to cyberattacks is nearly a guarantee that the insurers will now move to do exactly that. Already, since NotPetya, insurers have taken steps to try to clarify some of the language around what is included and excluded from their cyber coverage, though in some cases this has only generated more confusion. For instance, efforts to include coverage for “cyber terrorism” but exclude coverage for war have led to a tremendous amount of uncertainty about what the difference between cyberwar and cyber terrorism actually is. All of this is the result of insurers trying to reassure their customers that they do cover most types of serious security incidents (like cyber terrorism) while still maintaining their ability to deny coverage for the really damaging incidents (like NotPetya).
With luck, the Merck ruling will force insurers to be a little clearer in their policies about what they do and do not cover. That may be easier said than done, though. After all, it is always a little bit difficult to anticipate exactly what the next big cyberattack will look like and find the right language to be confident that you have definitely included—or excluded—it in your insurance policy. But Walsh’s ruling is a good reminder to insurers that the challenges of describing cyberattacks precisely are not a reason to rely on years-old language that long pre-dates them, and that it’s time for insurers to at least try to nail down the specifics of which types of incidents they will and won’t pay for.