How the Merck Case Shapes the Future of Cyber Insurance
Merck & Co.’s proposed settlement with insurers over a $1.4 billion claim related to the NotPetya attack will change the language the insurance industry uses to exclude acts of war in its policies, and organizations need to consider how those changes affect risk, said attorney Peter Halprin.
The settlement will resolve an ongoing legal dispute between Merck and several insurers that were appealing a 2023 court decision saying the insurance companies could not invoke “hostile warlike action” exclusions in refusing to pay the pharmaceutical giant’s claims filed after the June 2017 NotPetya cyberattack. The attack hit several other companies globally, including shipping giant A.P. Møller – Maersk – and snack food company Mondelez. Total damages attributed to NotPetya are commonly estimated at about $10 billion worldwide (see: Insurers Drop Bid to Exclude Merck’s $1.4 Billion NotPetya Claims).
Merck’s insurers contended that Russia had launched the NotPetya malware as part of its ongoing conflict with Ukraine. The insurers last week dropped their bid in New Jersey’s Supreme Court to challenge an appellate court ruling last May that upholds a lower court’s ruling saying that the hostile warlike exclusions did not apply to Merck’s losses.
The language of the particular war exclusion in Merck’s “all risk” policies made no reference to cyberattack, cyberwar or cybercrime, “and because of that, the exclusion should be interpreted as traditional war exclusions and property policies are, which is to reflect kinetic conflict or a shooting war,” said Halprin, a partner at law firm Haynes and Boone.
The Merck development will influence insurers’ approach to writing coverage, he said. Merck is a lesson in policy wording and language -and on the importance of narrowly drafted exclusionary language,” he said.
“It’s really important, especially as these new war exclusions come to the market, that clients and their brokers work collaboratively with the insurers to try to ensure that if there is going to be some kind of exclusionary language in relation to cyberwarfare, it’s really narrowly, drafted and really limited and targeted.”
The Merck dispute also highlights the complexity of attributing cyber incidents to specific entities in trying to apply exclusions, Halprin said.
“The key issue arising out of most of the new exclusionary language is this concept of attribution and whether or not a cyberattack can be attributed to a nation-state. That would make it more akin to traditional war than perhaps a criminal gang or an independent actor,” he said.
“There may be instances where you know that it’s a government hacking group. But sometimes, in some countries, you have criminal gangs that are tolerated by the government, loosely affiliated,” he said.
“They know that they’re stealing money from Americans, and it’s a common enemy. But it’s not necessarily directed by the nation-state itself, and that’s where the attribution issue becomes so complicated.”
In this interview with Information Security Media Group (see audio link below photo), Halprin also discussed:
- Top lessons from the Merck settlement;
- Why Merck and the insurers likely decided to settle rather than to continue pursuing their legal battles in court;
- Other critical considerations for 2024, including new state privacy laws, generative artificial intelligence, and evolving ransomware and business email compromise threats.
Halprin is a partner in Haynes Boone’s insurance recovery practice group in the firm’s New York office. He has arbitrated, litigated and mediated claims involving a broad range of insurance policies and recovered hundreds of millions of dollars in insurance proceeds. Halprin is an adjunct professor of law at the Benjamin N. Cardozo School of Law. He was previously a partner at law firm Pasich LLP.