Cyber Insurance Claim War Exclusions, Merck v. Ace

·

Cyber Insurance Claim War Exclusions Case Law

Merck alleged it suffered from the NotPetya cyberattack in 2017.  In January 2024, Merck reaches a settlement with insurers over $1.4bn NotPetya cyber-attack.  In 2017, the Russia-linked NotPetya malware was delivered into an accounting software developed by a Ukrainian firm, which was used by Merck and other companies. Merck reported that more than 40,000 of its machines and its global network were infected in the attack, which Merck says led to $1.4 billion in losses.

In 2022, the New Jersey court ruled in favor of Merck, finding that the warfare exclusion did not apply to malware and cyberattacks and was intended to apply only to physical acts of warfare between two or more countries. This decision was upheld in appellate court in 2023 and the company was granted a $1.4 billion payout.  Merck’s insurers argued that the losses were barred by a war exclusion in the policy.  Unsuccessful insurance company arguments where made that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.”

In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. 

Cybercrime encompasses significant risk for organizations worldwide, encompassing ransomware attacks and data breaches among its top threats. Businesses are dealing with substantial losses, with cyber-related damages reaching an estimated $60 billion annually. Concurrently, the frequency of claims is on the rise, prompting the ongoing evolution and refinement of insurance policies to address the dynamic landscape of risks and vulnerabilities.  Cyber policies are constantly changing and excluding items from coverage.  It is important to know exactly what your cyber insurance policy entails.