Merck's Cyberattack Settlement: What Does it Mean for Cyber Insurance Coverage?

In 2017, Merck was among the companies hit by the NotPetya cyberattack. The malware, linked to Russia and its conflict with Ukraine, caused billions of dollars in damage across the world. The pharmaceutical company claimed $1.4 billion in damages. Its insurers sought to avoid covering the losses on the basis of war exclusions, which set off a lengthy legal battle. Seven years later, the company and its insurers reached a confidential settlement, according to Bloomberg Law.

If the case received a court ruling, it would have had the potential to set a precedent in the cyber insurance landscape. With risk of cyberattacks only increasing, could Merck’s case be followed by more disputes between insurers and policyholders?  

The Merck Case

The NotPetya malware damaged more than 40,000 of the pharmaceutical company’s computers, leading to major operational disruption, according to Cybersecurity Dive. Its insurers denied coverage on the basis of hostile/warlike action exclusions in their policies. A state appellate court ruled that the exclusion did not apply, and Merck was entitled to approximately $700 million, according to the Bloomberg Law report.

“In considering the plain language of the exclusion, and the context and history of its application, we conclude the Insurers did not demonstrate the exclusion applied under the circumstances of this case, namely, that this cyberattack was a ‘hostile’ or ‘warlike’ action as contemplated under the exclusion,” according to the court opinion.

Related:What Happens When You Lose Your Cyber Insurance?

The company’s case against its insurers was headed to the New Jersey Supreme Court before the settlement was reached.

With nation-state-backed cyberattacks unlikely to subside, a court ruling could have been pointed to in future cyber insurance coverage disagreements. But the conclusion of the Merck case does not provide any definitive case law. “It's confidential settlement, so it’s hard to really use as a predictor,” Eric Stern, a partner at national law firm Kaufman Dolowich, tells InformationWeek.

But the case and the billions of dollars of damage at its heart do suggest that the cyber insurance industry isn’t through with challenges from policyholders.

War Exclusions

Merck isn’t the only company to butt heads with its insurers over war exclusions. Food and beverage company Mondelez International settled a lawsuit against its insurer Zurich American Insurance Company in 2022, according to Insurance Business. Mondelez, like Merck, was a victim of the 2017 NotPetya cyberattack. Zurich denied the company’s $100 million claim, citing a war exclusion in its policy.

Related:How to Get the Best Cyber-Insurance Deal

These two cases raise questions about cyber insurance coverage, but the industry has changed significantly since the NotPetya cyberattack. “We are talking about a 2017 attack, policies that were written almost a decade ago,” says Stern. “Cyber has changed and developed so much in that time.”

The way enterprises view cyber insurance and the risk environment has changed significantly over the past seven years. Cyber risk awareness has dramatically increased, and the value of the cyber insurance market with it.

As cyber risk grows, so does the complexity of underwriting those risks. “Now, the applications are much more intricate, up to questionnaires than include 550 questions,” says Dara Gibson, senior cyber insurance manager at Optiv, a cybersecurity advisory company.

War exclusions are a part of the growing complication of the industry. Cyberwarfare is different than traditional warfare. What that means for cyber insurance is not exactly clear.

Insurance market Lloyd’s of London released four different clauses for cyberwar and cyber operation exclusion. Its state-backed cyberattack exclusions went into effect on March 31, 2023 but not without criticism. While Lloyd’s did provide some clarity around war exclusions, Gibson points out that there is still plenty of room for interpretation.

Related:Cyber Insurance Costs Lead to Scrutiny of Business Partners

“What the insurance industry is really trying to do is figure out where [to] draw that line or set that boundary as far as a segment or a slice of the overall cyber risk pie that [they] simply can't afford to cover as an industry,” says Scott Kannry, co-founder and CEO of Axio, a cyber risk management company.

Buying Cyber Insurance

What does buying cyber insurance look like in the current landscape? How can enterprise leadership evaluate potential policies and understand how exclusions will apply?

Stern recommends working through exclusions when purchasing a policy, rather than risking a surprise when filing a claim. “When you're purchasing the policy, everyone wants the same thing. The insured wants the policy. The insurer wants to sell the policy, and [they] want to come to terms on what they’re actually insuring to be able to set the price accordingly,” he explains.

Enterprise leaders making cyber insurance purchasing decisions can ask prospective insurers questions to better understand how they define and interpret war exclusion clauses. What is considered an act of war? What happens if a cyberattack is traced back to a nation-state actor? Does the insured company need to be the intended target in order to receive coverage?

“Organizations would have to look at multiple policies and see how the various insurance carriers are utilizing those exclusions and then truly looking at the enterprise and say, ‘Hey what are we willing to accept in this exclusion?’” says Gibson.

The Future of Cyber Insurance and Cyberwarfare

The Merck and Mondelez cases are likely not going to be the last of their kind. More legal disputes between insurers and insureds, whether regarding war exclusions or other issues, could arise in the future. “I think that the cyber litigation is just getting started,” says Stern.

More cases could drive change in the way cyber insurance companies approach risk tied to cyberattacks and what is considered cyberwarfare. When new risks challenge the existing approach to coverage, it drives industry change. “Maybe it takes a second or a third dispute to really achieve a definitive conclusion on that particular matter,” says Kannry. “Then, what can often happen is insurance industry says, ‘You know what, that type of loss needs to be understood and defined separately.’”

Compared to many other insurance products, cyber insurance is relatively new. That means there remains plenty of room for the development of innovative ways to offer cyber insurance coverage. But the road forward likely won’t be without bumps for insurers and insureds. “With new products that get out on the market, they'll probably [disagree] about how it applies to any given claim and the lawsuits will ensue,” says Stern.

While it will take time for the insurance industry to work through the challenges of covering risks in a world where cyberattacks are an inevitable element of conflict between nations, Kannry is confident it will be able to do so.

“You're talking about an industry whose fundamental purpose is to understand and effectively price risk and come up with products to cover risk and be more right than wrong over the long term,” he says. “And I really expect nothing different with respect to cyber, even in the current climate that we're in with all the confusion and debate and consternation about these exclusions.”

More standardized language around inclusions and exclusions could help to eliminate some of that confusion. “This is where the insurance industry needs to … do better for their insureds,” says Gibson. “And then the insureds need to do better and say, ‘Hey, how can I be less risky? How can I put cyber controls in place to make sure that I am protected?’”