[BreachExchange] “Cyber War” Exception Struck Down in Merck’s Battle With Insurance Company Over NotPetya Attack

[Terrell Byrd]

https://www.cpomagazine.com/cyber-security/cyber-war-exception-struck-down-in-mercks-battle-with-insurance-company-over-notpetya-attack/

A recent ruling in New Jersey indicates that insurers may not be able to
use “cyber war” clauses as an excuse to not pay out for remediation of
ransomware attacks. Pharmaceutical giant Merck was caught up in the
NotPetya attacks of 2017, and insurer Ace American refused to cover any of
the $1.4 billion in damages by claiming this exception.

The suit was initiated in 2019 and has just been decided in Merck’s favor,
with the court agreeing that the “cyber war” clause could only be invoked
if government agencies were clearly involved. As with most cyber attacks
originating from Russia, attribution to its intelligence services is not
done with “smoking gun” evidence but rather a collection of secondary
sources that the court did not find to meet the standard.

Merck win in NotPetya attack case sets high standard for attribution to
government agencies
Merck held a $1.75 billion “all risks” property insurance policy that
included coverage of damage from cyber attacks. That policy appeared to be
a lifesaver when the NotPetya attacks found their way onto its network in
June of 2017, impacting 40,000 computers across the company and causing
over a billion dollars in total damages.

However, a “cyber war” clause in the policy was invoked by the insurer to
deny payment. The insurer pointed to attribution of the NotPetya attacks to
Russia by the United States and United Kingdom governments, with there
being a broad belief in cybersecurity circles that the attacks were
initially meant to antagonize targets in Ukraine and got out of control.

Merck argued that certain facts made it not entirely clear that Russia was
behind the attack, and that even if it was the “cyber war” clause could not
be invoked without a clear and intentional act of war initiated by a
foreign power.

The court noted that the policy language was ambiguous, and in the case of
ambiguity the burden of clarifying an exception sits with the insurer. And
if there is an ambiguity, the court is required to interpret the “plain
meaning” of the words as they appear in the contract without engaging in
“strained construction” to decide on imposing liability.

Under these terms, the court determined that “cyber war” essentially meant
that there needed to be an actual formal war between nations on and for an
action to be directly related to that for the term to apply as written in
the contract. The decision cited prior cases that decided against defining
acts of terrorism and accidents that happened within war zones, ruling that
acts such as these must be specifically spelled out by the insurer if they
are to be excepted.

The court thus supported Merck’s second argument, which was that it did not
have a reasonable expectation of payment being denied unless it was caught
up in an actual act of war. While there might have been enough expert and
national attribution of the NotPetya attacks to Russia to satisfy the court
that it was the perpetrator, that whole argument is rendered moot by the
fact that Russia is not at war with the US and did not necessarily intend
to attack a US firm with the ransomware.

Jack Kudale, founder and CEO of Cowbell Cyber, observes that insurance
terms have been changing substantially roughly on track with the rise in
ransomware and cyber crime that came with Bitcoin’s first gigantic value
spike: “In just four years since 2017, cyber insurance has progressed
dramatically. Critical elements needed to modernize the approach and
achieve full alignment between policyholders and their insurers include:
standardization of coverages, clarification of terms, advanced and
continuous assessment of cyber risk, and transparency in the underwriting
process.”

“Cyber war” exclusions likely to be rewritten going forward
The court ruling on the NotPetya attack will not prevent insurers from
including “cyber war” exclusions going forward, but new policies will
likely have longer and more detailed passages accounting for all of these
possibilities. In the meantime, existing policies with similar language
will likely prove sufficient to cover attacks that originate from countries
the policy holder’s government is not formally at war with.

Cyber crime has surged in recent years, driving up the average cost of
damage and thus the costs of insurance. Insurance firms are looking to use
any tricks and tactics they can to reduce coverage, even as demand grows to
record levels. The “cyber war” exception has been widely used to
specifically address the soaring costs of ransomware and theft of sensitive
information. However, insurers still broadly cover acts of “cyber
terrorism”; they’re just not in a hurry to classify ransomware and other
for-profit attacks in that way.

John Bambenek, Principal Threat Hunter at Netenrich, notes a growing trend
in these “escape hatches” being buried in contracts but feels that
organizations should focus more on defense than on coverage: “The growth of
ransomware is pushing the financial boundaries of insurance companies so
they’ve been looking for escape hatches. “Act of war” clauses are common in
insurance contracts but only in cybersecurity is there any real risk of
that. Organizations will have to bake in this gap into their risk
mitigation plans but the answer to cybersecurity has never been “more
insurance” anyway.”

Lloyd’s of London reportedly updated the language governing “cyber war”
terms in policies just days before the Merck ruling was passed down.
Several other cases of a similar nature are pending decisions, including
one involving food giant Mondelez that also involves damages from a
NotPetya attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220204/c63f2789/attachment.html>