The Merck claim and state-sponsored cyber attacks – is it war, and does it matter?

Insurers have failed in their efforts to deny a USD 1.4 billion insurance claim, after a New Jersey state court ruled that a war exclusion did not encompass cyber attacks – even if they are state-sponsored.¹ This is an important and high-profile decision, but does it actually provide clarity for insureds looking forwards?

Why is the dispute so high profile?

The global pharma firm, Merck, was subject of the devastating ‘NotPetya’ cyber attack in 2017 which knocked out the systems of numerous multinational companies. Emanating from Ukraine, the attack is widely thought to have originated from the Russian military intelligence agency, the GRU. The malware crippled 40,000 computers at Merck, and caused USD 1.4 billion in losses as hardware was rendered non-functional and had to be entirely replaced.

Faced with those huge costs, Merck turned to its insurers and sought to recover under its all-risks property policy. In the absence of a specific cyber exclusion, insurers sought to rely on a traditional war exclusion to avoid cover. They argued that as the exclusion applied to ‘hostile or warlike action’ by any ‘government entity’, there was no cover for damage resulting from state-sponsored cyber attacks like NotPetya.

Insurers’ response has drawn press attention like bees to a honeypot. It has been held up as evidence that cyber coverage doesn’t respond when most needed, and that it isn’t worth the price paid. However much of that reporting has failed to note that the claim by Merck is under a property policy, not a cyber policy. This has driven the response, with property insurers facing a huge loss on a coverage that they didn’t believe they were providing. That said, the dispute does have a bearing on cyber coverage given that similar exclusions are often found in cyber policies, and could be relied on in a future event.

What was the court’s view?

In a judgment released on 15 January, the New Jersey court found for Merck on its application for a partial motion for summary judgment. The court dismissed insurers’ argument, and found that the ‘hostile and warlike actions’ exclusion did not apply in this case. The war exclusion was intended to cover the “use of armed forces” and acts of physical force, and therefore the Russian-backed NotPetya attack fell outside its scope.

In reaching that conclusion, the judge noted that the exclusion language had remained the same for a number of years. They ruled that “warlike” should be given its ordinary, usual meaning and that consistent use of traditional insurance language – despite the clear and growing threat of cyber attacks – meant that “Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare”. An all risks property policy provided coverage for losses against all perils not specifically excluded by the policy language. By failing to unambiguously exclude state sponsored cyber attacks, insurers were therefore prevented from relying on the broad and non-specific war exclusion in this case.

Back to the future

On its face, the decision is a helpful one for policyholders. It confirms that traditional war exclusions may not include state sponsored cyber attacks, so is an important development (given a sizeable portion of cyber attacks are suspected to have at least some form of state backing).

However the decision has limitations - it may ultimately be more of a sticking plaster than a vaccine. The Merck claim is reflective of the insurance market position at a point in time, but things have moved on in a number of respects.

Firstly, since the NotPetya attack insurers have done a lot of work on ‘silent cyber’, particularly putting express cyber exclusions on non-cyber policies. So in a similar scenario now, there is a good chance that all-risk property insurers could simply rely on a cyber exclusion, rather than needing to look to a war exclusion.

Secondly, cyber market insurers have been working to develop updated war / terrorism exclusions to deal with state-sponsored attacks. In late 2021, the Lloyds Market Association (LMA) released four new exclusions that sought to clarify insurers’ exposures and would replace ‘traditional’ war exclusions in cyber policies.² The clauses are framed to exclude both war in the traditional physical sense, and also loss resulting from ‘cyber operations’. Cyber operations are effectively state-sponsored cyber attacks, involving use of a computer system by or on behalf of a state to attack a computer system of or in another state – and the clauses therefore have lengthy terms dealing with attribution of attacks to states.

The new exclusions vary in their scope. Some, for example, do not apply to situations where the insured assets are in a third state not subject of the attack (so would not apply in the Merck scenario, save for Ukrainian assets). It remains to be seen how widely the clauses are accepted by insurers, as there is not currently market agreement. We may need to wait much longer until their effect on coverage is fully tested. Much therefore remains unclear, and future policy disputes may focus less on whether a war exclusion applies, and more on whether an attack can properly be attributed to a state.

Finally, the Merck decision relied heavily on a principle of New Jersey law, that ambiguous terms should be construed to reflect the reasonable expectations of the insured. It is not a decision that would necessarily be reached under English law, for example, where different principles and precedents would apply. It is helpful in a commercial sense but care needs to be taken.

Given the above, we recommend that you speak with you broker to discuss more fully the impact of the new clauses, and how to limit your exposure to state-backed cyber attacks.

This article was authored by members of Howden’s specialist Cyber team and Legal, Technical & Claims team. The Legal, Technical & Claims team is made up of senior insurance lawyers and experienced claims professionals, and provides support on insurance claims, policy wordings and legal and regulatory developments as they impact your business. If you have any queries on the issues raised, please feel free to contact a member of the team directly.

James Wakefield, Claims Handler:
T: +44 (0)2038 087561 E: [email protected]
 

Neil Warlow, Divisional Director:
T: +44 (0)7923 208441 E: [email protected]
 

Sam Vardy, Divisional Director:
T: +44 (0)7719 928600 E: [email protected]
 

Carey Lynn, Executive Director:
T: +44 (0)7923 229882 E: [email protected]

David Rees, Executive Director & Head of Cyber and Technology Solutions Team:
T: +44 (0)7535 782203 E: [email protected]