The Merck appeal: cyber insurance and the definition of war

Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act of war.

As detailed in the judges’ decision, many of the original defendants settled their portion of the insurance claim with Merck. In a separate yet parallel case involving multinational food and beverage company Mondelez International and Zurich American Insurance, a settlement was also reached, missing the opportunity to have a telling effect and adjustment on how cyber insurance will be treated going forward.

Lloyd’s settlement gives clues about the future of cyber insurance

This rejection of the appeal by the insurance companies and the actions taken in March 2023 by Lloyd’s of London give us some direction when it comes to understanding how cyber insurance will likely be handled in the future — which is that cybersecurity exclusions will be more clearly defined. An amici brief filed by the Insurance Law Scholars in the Lloyd’s case noted that the trial court’s decision should be affirmed because it was “supported by the drafting history of war exclusions” and the insurers “failed to use readily available insurance policy provisions that would have excluded or limited the coverage provided for cyber-related events.”

On page 23 of the judges’ decision in the Merck case, the verbiage is more direct: “Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective.” The judges noted that that approach would conflict with basic principles that require courts to narrowly construe an insurance policy exclusion. “The specific, plain, clear, and prominent meaning of, and the clear import and intent of, a word or phrase in an exclusion does not equate to its broadest possible interpretation, but rather its narrowest.”

If this were a soccer match, it would appear the court is calling it an “own goal” by the insurer.

Why is defining what counts as war important?

The war exclusion was found to be not applicable, and the court used the insurer’s own words to detail the “why” behind the denial. When read by a layman such as me, it appears the judges believed the insurers had ample time to adjust their policy dynamics and didn’t get around to it.

I reached out to Violet Sullivan, vice president of client engagement for Redpoint Cybersecurity and cybersecurity law adjunct professor at Baylor Law School, and asked for her perspective, given her background. She believes the ruling will most likely be appealed to the New Jersey Supreme Court. In addition, she noted that the insurer shouldered the burden of proof, and the court and appeal judges ruled that burden had not been met.

War on the ground versus war in cyberspace

Sullivan suggested that instead of this being a question of attribution and determining which foreign government the attack was tied to, the entire initial 2022 decision depends on an arbitrary differentiation between physical/kinetic or cyber warfare. It’s focused on the nature of the attack and what war meant in the policy and in legal precedent.

That said, when a nation’s intelligence entities run covert operations, which Russia does on a regular basis, the goal of the government at hand is to always maintain plausible deniability any illegal acts. Could the NotPetya attack have been sponsored by the Russian Federation? Absolutely, and indeed, Kroll Cyber Security, the cyber consultant for the insurers, opined before the court “with high confidence” that the attack was “orchestrated by actors working for or on behalf of the Russian Federation.” Yet, one should note that when the US Department of Justice had the opportunity to pin the tail on that same donkey, they demurred.

Thus, if a national government is not going to attribute nation-state sponsorship to an attack, then it will be most difficult for an insurance entity to successfully do so within the courts without explicit verbiage in the cybersecurity exclusions.