Insurers Say Cyberattack That Hit Merck Was Warlike Act, Not Covered - WSJ

Insurers Say Cyberattack That Hit Merck Was Warlike Act, Not Covered
The company lost $1.4 billion in 2017’s NotPetya attack, which has been linked to Russia, but insurers are fighting in court to avoid paying

Merck wants to be paid under what is known as an all-risks policy. Such policies are broadly written to cover a range of changing circumstances.
PHOTO: BRENDAN MCDERMID/REUTERS
By Richard VanderfordFollow
Updated Feb. 8, 2023 6:57 pm ET
PRINT
TEXT
The costly NotPetya cyberattack, which the U.S. blamed on Russia, should be considered a “cyber nuclear attack,” insurers argued as they urged judges to overturn a legal win by Merck & Co. in a dispute that could have broad ramifications for business insurance.

Merck, which had an estimated $1.4 billion in losses after NotPetya invaded its computer systems in 2017, suffered the collateral damage of a warlike act not covered by insurance, lawyers for a group of carriers told judges Wednesday in a state appeals court in Trenton, N.J.

“NotPetya was massive,” said Philip C. Silverberg, a lawyer representing several of Merck’s insurers. “It was a virtual cyber nuclear attack.”

The legal dispute between the Rahway, N.J.-based pharmaceutical company and its insurers centers on what is known as a war exclusion, a relatively common clause in many policies that says insurers don’t have to pay out if the loss traces back to warlike hostilities. Even the home and auto insurance policies of many Americans deny coverage if a foreign power bombs their dwelling or vehicle, a provision that insurers include to protect themselves from the runaway losses that a wide-scale conflict could bring.

The Merck case has attracted attention, and not just for the amount at stake or because it touches on cyberattacks, a growing risk to businesses of all sizes. The court’s reasoning could also affect how other categorical exclusions are read in the future.

The two sides are at odds as to whether the war exclusion, which has been in policies for decades, can be readily applied to a relatively new form of attack, one that is often the domain of criminal gangs or computer vandals, and not countries.


The Richard J. Hughes Justice Complex in Trenton, N.J., which includes the state appeals court.
PHOTO: RON ANTONELLI/BLOOMBERG
NotPetya disrupted systems worldwide, including those of many large corporations, costing businesses billions of dollars. Merck’s systems were locked because of malicious code that infiltrated through accounting software, and about 80% of losses happened in the U.S., said Mark Mosier, a lawyer representing the company.

Though the U.S. and other countries have attributed the attack to Russia and federal prosecutors have brought related criminal charges, the U.S. response stopped short of treating the attacks as akin to armed hostilities.

“The United States didn’t say ‘NotPetya is an act of war against the United States and we’re going to launch a military response,’” Mr. Mosier said.

The Russian government has denied involvement.

The insurers appealed after a lower court judge sided with Merck in 2021. That judge found that based on the plain meaning of the policy language, the exclusion didn’t apply. Groups representing businesses of all kinds, from hospitals to manufacturers to restaurants, have come forward to back Merck, arguing that they depend on having reliable coverage.

But the insurers and insurance trade groups counter that the attack at issue, which occurred amid Russian hostilities directed at Ukraine, was of the kind clearly meant to be covered by a broad war exclusion.

“Russia did this,” said James E. Rocap, a lawyer arguing on behalf of Merck’s insurers. “This was a destructive act. It was all part of the ongoing conflict between Russia and Ukraine over Ukrainian sovereignty.”

The American Property Casualty Insurance Association, an industry group, said carving out modern warfare from the war exclusion could expose the industry to huge losses.

NEWSLETTER SIGN-UP
WSJ | Risk and Compliance Journal
Our Morning Risk Report features insights and news on governance, risk and compliance.

PREVIEW
SUBSCRIBE
More broadly, APCIA argued that a win for Merck could jeopardize other similar exclusions that insurers rely on when drafting policies. Merck wants to be paid under what is known as an all-risks policy. Such policies are broadly written to cover a range of changing circumstances.

The three judges deciding the appeal didn’t give clear indications of their thinking, though one questioned how Merck could be the victim of a warlike attack if almost all the damage occurred in the U.S. That judge, Heidi Currier, also noted that the war exclusion predates the widespread use of computers by decades.

Separate from the litigation, the insurance industry has taken its own steps to limit payouts under cyber policies, including doing more thorough checks of prospective clients’ security measures. And policy language has also changed. Lloyd’s of London, in a memo that comes into effect March 31, has said its insurers must make clear in their policies’ wording that they don’t cover any state-sponsored cyberattacks in stand-alone cyber policies.

Though the case in New Jersey will only have a direct legal impact in that state, other jurisdictions are expected to watch the decision to guide their own thinking in similar disputes. No other case touching on this issue has been as closely watched, said David Cummings, whose law firm represents insurance buyers that have sided with Merck.

Chicago-based Mondelez International Inc. sued insurer Zurich American Insurance in 2018 over NotPetya costs that the snack maker said surpassed $100 million, but that case ended in a settlement. Details of that agreement weren’t disclosed.

“Everyone’s watching this case,” Mr. Cummings said. “This is going to shape the industry going forward.”

Write to Richard Vanderford at [email protected]