Cybersecurity & Insurance Law: Warlike-Action Exclusion & the Merck

June 27, 2017, marks the day of the most aggressive cyberattack in history. The NotPetya malware attack, instigated by Russian military hackers, ripped through business organizations in more than 60 countries, causing billions of dollars of damage in mere hours. Major multinational corporations, including American pharmaceutical giant Merck & Co. and the Russian state-owned oil producer Rosneft, were brought to their knees by the malware, resulting in massive monetary losses and worldwide operational paralysis.

The impact of the NotPetya attack began a new era for business owners, insurers and the cybersecurity industry, as these sectors began to grapple with the new reality of modern cyberwarfare, in addition to the complexities of recovering (financially and otherwise) after an attack. The contentious legal battle brought by Merck & Co. to recover insurance payouts for its $1.4 billion in losses introduced the question of whether insurers even have to cover this class of cyberattacks.

The Cyberattack

It all began in Ukraine. On the western side of Kiev, the family-run software business Linkos Group was responsible for developing a key player in this story: an accounting software named M.E. Doc. Russian military hackers, intending to target Ukraine with cyberwar tactics, gained access to M.E. Doc s software updates, allowing them to access customer computer systems. The hackers were thereafter capable of executing code on the customers  networks without detection, enabling them to leave the computers inoperable.

At the time, Merck was using M.E. Doc to transmit invoice and financial data to the Ukrainian government. On June 27, 2017, NotPetya infiltrated Merck s computer systems through M.E. Doc. Within 90 seconds of the initial infection, around 10,000 Merck machines were infected; within five minutes, about 20,000 machines were infected. Ultimately, more than 40,000 of Merck s computers were infected with the malware. This caused production facilities to go offline and created large disruptions to Merck s operations, including manufacturing, research and development, and sales. Merck alone claimed $1.4 billion in losses from the attack.

Merck was not the only company impacted by attack. The NotPetya malware spread through more than 64 countries and affected other major multinational corporations. American food company Mondelez International Inc. lost a purported $100 billion from the attack. Danish shipping titan Maersk, a company that is responsible for more than one-fifth of global trade, lost between $250 and $300 million. Computers at a Pennsylvania hospital were infected. FedEx s European subsidiary, TNT Express, lost $400 million. Computer systems that monitor radiation at the Chernobyl Nuclear Power Plant went down.

To top it off, the malware spread back into Russia, hitting Rosneft, a government-backed oil producer, and Home Credit Bank, one of the country s top lenders.

The total damage from NotPetya is estimated at a staggering $10 billion globally.

The Litigation

After all was said and done, the real battle began for business entities: getting insurance payouts to recoup losses. As the cost of cybercrime escalates, with a projected estimate of $10.5 trillion annually by 2025, insurance battles over cybercrime will likely become a key focus in the insurance and litigation worlds.

N.J. District Court

In the case of Merck and its attempts to recoup from the NotPetya attack, the lawsuit turned on the application of a common insurance provision—a “warlike-action” exclusion—first seen in insurance policies in the 1800s.ⁱ

A war exclusion, used in both cyber policies and property or liability policies, excludes losses caused by “warlike” action. Initially, war exclusions were introduced by Lloyd’s of London market insurers to exclude war risks from marine coverage policies in the shipping business. Today, the exclusions turn on two questions: “First, is the loss-causing conduct attributable to a sovereign state? Second, is the loss-causing conduct properly characterizable as ‘warlike’?”ⁱⁱ

These questions create considerable uncertainty in the context of cyber operations. The focus on the warlike-action exclusion in Merck’s lawsuit precipitated heavy scrutiny by the insurance and cybersecurity industries. The rising prevalence of nation-state and criminal ransomware cases linked to world conflicts, such as in the Israel-Hamas War and the Russian invasion of Ukraine, meant the outcome could dramatically transform future cyber-insurance coverage.

Before the attack, Merck purchased a $1.75 billion “all risks” property insurance policy that was intended to protect against just the type of damage that NotPetya caused: loss resulting from destruction or corruption of computer data and software. Therefore, Merck, believing it was entitled to a payout, submitted a notice of loss to its insurers in July 2017. The insurers, however, were adamant that the “all risk” policy contained a warlike-action exclusion that allowed them to avoid paying for the damage. The insurers claimed the exclusion applied due to the attack originating from the Russian Federation and, in a ‘warlike’ manner, targeting Ukraine. Merck, understandably eager to secure the insurance funds, brought a lawsuit in New Jersey district court in 2018 to litigate the issue. Merck initially brought suit against over 30 insurance companies, many of which decided to settle their claims rather than litigate against Merck.

As the cost of cybercrime escalates, with a projected estimate of $10.5 trillion annually by 2025, insurance battles over cybercrime will likely become a key focus in the insurance and litigation worlds.

On January 22, 2022, after numerous oral arguments on the application (or non-application) of the warlike- action exclusion on Merck’s claim, the district court granted summary judgment in Merck’s favor. In doing so, the court found that no reasonable fact finder could conclude that the warlike-action exclusion applied in Merck’s case, even after viewing the evidence in the light most favorable to the insurance companies. The court noted that no other court in history had applied a warlike-acts exclusion to any case “remotely close to the facts”ⁱⁱⁱ present in Merck’s lawsuit.

The court also stressed that the insurance company s policy language had been the same for many years, something that the court found interesting given the ever-increasing rise of cyberattacks. This presented an opportunity for the insurance company to update their exemptions in order to put Merck on notice that cyberattacks were not covered—an opportunity that the insurance company failed to take. In the words of the court, “Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”^iv This meant a big win for Merck, and a big scare for insurance companies worldwide using antiquated warlike-action exclusions.

N.J. Appellate Court

As was highly foreseeable by those within the relevant industries, Ace American and the remaining insurance companies who failed to come to a settlement with Merck appealed the district court’s decision to the New Jersey Appellate Court. A flood of opinions from amicus curiae (organizations permitted to assist courts in a particular case) urged the appellate court to affirm or deny the district court’s decision. American Property Casualty Insurance Association, a national trade association for insurers, contended that Merck’s damage fell squarely within the meaning of a warlike-action exclusion.

On the other side, the New Jersey Association of Counties, United Policyholders, various insurance law scholars, and more, contended that the district court’s findings were correct and that the appellate court should affirm the case in favor of Merck. Another group of well-versed international law professors and former government lawyers, argued “[t]he terms ‘war’ and  ‘hostilities’ are terms of art that have long been understood as describing the use of armed force between rival states”^v and that the U.S. government “has been careful not to broaden the legal definitions of these categories, despite the advent of various types of malicious cyber activity.”^vi

On May 1, 2023, the appellate court concluded that the insurers simply had not been able to demonstrate that the warlike-action exclusion applied under the circumstances of Merck s case. The court found that similar exclusions had never been applied in a situation that was not clearly war or military action. Merck had risen victorious once again, with the court finding it was entitled to about $700 million in claims.

N.J. Supreme Court

The insurance companies were not done fighting, however. Their appeal to the New Jersey Supreme Court was granted on July 19, 2023. The appeal focused on the same warlike-action issue as in Merck’s case. But, in early January 2024, days before the supreme court was scheduled to hear oral arguments, Merck filed documents with the Court indicating that it reached a settlement with the insurers. The terms and amount of the settlement have not been disclosed, but the settlement meant an end to the six-year legal battle.

The settlement allowed the insurance companies to avoid having an unfavorable state supreme court opinion as precedent. But, the lower New Jersey court rulings provided incentive enough for insurers to both wrap up their issues with other insured companies claiming damage from NotPetya and to quickly fine-tune their policies to avoid future payouts. For example, after the New Jersey district court ruling for Merck in 2022, Mondelez International settled its lawsuit against Zurich American Insurance over its $100 million NotPetya claim. Additionally, in 2022, Lloyd’s announced that losses from cyberattacks “have the potential to greatly exceed what the insurance market is able to absorb,” and that they are requiring “all stand-alone cyberattack policies … must include … a suitable clause excluding liability for losses arising from any state-backed cyberattack.”^vii

Looking Forward

Insurance companies, although adverse to major risk, need some risk appetite to bring in premiums. Beyond a certain point of risk, however, they simply cannot afford to pay.

 “Systemic risk is an ongoing concern. Property catastrophes typically affect a limited geographic area, but a cyber catastrophe, as we saw with NotPetya, can go worldwide,” said Fred Eslami,^viii an associate director at AM Best, a credit-rating agency specializing in the insurance industry.

On top of this, as with NotPetya, cyber incidents can be perpetrated by foreign governments or quasi-state actors, even though it can be very difficult to identify hackers and determine whether they are truly backed by a government. According to McGuireWoods, a Chicago-based governmental affairs law and consulting firm, policyholders “should not assume that traditional ‘war’ exclusions drafted during the Cold War necessarily bar coverage for 21^st century attacks in cyberspace.”^ix

The answer to this cyber uncertainty seems clear, at least, for some insurance providers. The Merck litigation and other disputes stemming from NotPetya gave the insurance industry time to limit their exposure by adding new exclusions for cyberattacks caused by state actors or in connection with warlike conduct. Insurance Law Scholars, one of the amicus advisers from the Merck case, stated simply that the insurance companies deserved to lose because they “failed to use readily available insurance policy provisions that would have excluded or limited the coverage provided for cyber-related events.”^x (italics added by author)

Global law firm Latham & Watkins LLP is advising clients that policyholders have several options in the face of the new war-exclusion developments: First, the new—and narrowed—terms of war exclusions in policies may be negotiable; second, policyholders can place coverage with insurers that are not narrowing their exclusion language; or third, policyholders can simply find alternative insurance products with more favorable terms. But, as with any language changes in policies, every additional contractual word included or excluded could be a breeding ground for future litigation.

“Hardly a day goes by without a news story about some type of cyberattack,” said Alan Rutkin and Rob Tugander, law partners at Rivkin Radler LLP.^xi Although NotPetya is not a current threat, its perpetrators are still operating. Hacker groups supported by hostile governments are constantly evolving malware and ransomware created for financial gain or widespread destruction or both. With cyber conflicts rising exponentially, Rutkin and Tugander said, “Merck will not be the last decision on this issue. More will come.”^xii ◉

REFERENCES

 i https://casetext.com/case/merck-co-v-ace-am-ins-co-1
 ii https://www.marshmclennan.com/insights/publications/2023/january/ asking-the-right-questions-about-war-exclusions-in-the-context-of-cyber- operations.html
 iii https://casetext.com/case/merck-co-v-ace-am-ins-co-1 
 iv https://casetext.com/case/merck-co-v-ace-am-ins-co-1 
 v  https://casetext.com/case/merck-co-v-ace-am-ins-co-1 
 vi https://casetext.com/case/merck-co-v-ace-am-ins-co-1
 vii https://www.insurancejournal.com/news/ international/2022/08/19/681274.htm
 viii https://news.ambest.com/newscontent.aspx?refnum=250256
 ix https://www.jdsupra.com/legalnews/merck-settlement-of-1-4-billion- 1936983/#:~:text=Cyber%20incidents%20are%20sometimes%20 perpetrated,first%20century%20attacks%20in%20cyberspace.
 x https://casetext.com/case/merck-co-v-ace-am-ins-co-1
 xi https://bestsreview.ambest.com/edition/2023/september/Regulatory-Law- NotPetya-and-War-Exclusions.html?_gl=1*qlbg6l*_ga*MjExMjQ3NzYyOC4xNzIwNjMxNjE3*_ga_VNWYD5N5NL* MTcyMDYzMTYxNy4xLjEuMTcyMDYzMzMwMy4wLjAuMA.
 xii https://bestsreview.ambest.com/edition/2023/september/ Regulatory-Law-NotPetya-and-War-Exclusions.html?_gl=1*qlbg6l*ga*MjExMjQ3NzYyOC4xNzIwNjMxNjE3*_ga_VNWYD5N5NL*MTcyMDYzMTYxNy4xLjEuMTcyMDYzMzMwMy4wLjAuMA.