Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.
The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.
However, the malware soon spread globally, causing potentially billions of dollars of damage.
Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”
However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.
Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.
However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.
Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”
Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.
“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.
“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”
Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.