The costly NotPetya cyberattack, which the US blamed on Russia, should be considered a “cyber nuclear attack,” insurers argued, urging judges to overturn Merck & Co.’s legal victory in a case that could have far-reaching implications for business insurance.
Merck, which suffered an estimated $1.4 billion in losses after NotPetya infiltrated its computer systems in 2017, suffered the collateral damage of a warlike act that was not covered by insurance, lawyers for a group of carriers told a state appeals court in Trenton, New Jersey, on Wednesday.
“NotPetya was massive,” said Philip C. Silverberg, a lawyer for Merck’s insurers. “It was essentially a cyber nuclear attack.”
The legal dispute between the Rahway, New Jersey-based pharmaceutical company and its insurers revolves around a war exclusion, which is a relatively common clause in many policies that states insurers are not required to pay out if the loss can be traced back to warlike hostilities. Many Americans’ home and auto insurance policies exclude coverage if a foreign power bombs their home or vehicle, a provision that insurers include to protect themselves from the massive losses that a large-scale conflict could cause.
The Merck case has gotten a lot of attention, and not just because of the large sum at stake or because it involves cyberattacks, which are becoming a growing threat to businesses of all sizes. The reasoning of the court may also influence how other categorical exclusions are interpreted in the future.
The two sides disagree on whether the long-standing policy of war exclusion can be easily applied to a relatively new type of attack, one that is frequently the domain of criminal gangs or computer vandals rather than countries.
NotPetya disrupted systems all over the world, including those of many large corporations, causing billions of dollars in losses. Merck’s systems were locked due to malicious code infiltrating through accounting software, and roughly 80% of losses occurred in the United States, according to Mark Mosier, a lawyer representing the company.
Though the United States and other countries blamed Russia for the attack, and federal prosecutors filed related criminal charges, the United States’ response fell short of classifying the attacks as armed hostilities.
“The US did not say, ‘NotPetya is an act of war against the US, and we’re going to launch a military response,'” Mr. Mosier explained.
Russia’s government has denied any involvement.
After a lower court judge sided with Merck in 2021, the insurers filed an appeal. The judge determined that the exclusion did not apply based on the plain meaning of the policy language. Groups representing all types of businesses, from hospitals to manufacturers to restaurants, have come out in support of Merck, arguing that they rely on consistent coverage.
However, insurers and insurance trade groups argue that the attack at issue, which occurred during Russian hostilities against Ukraine, was clearly of the type intended to be covered by a broad war exclusion.
“Russia did this,” said James E. Rocap, a lawyer representing Merck’s insurers. “This was a heinous crime. It was all part of Russia’s ongoing conflict with Ukraine over Ukrainian sovereignty.”
According to the American Property Casualty Insurance Association, excluding modern warfare from the war exclusion could expose the industry to massive losses.
More broadly, APCIA argued that a victory for Merck could jeopardize other similar exclusions used by insurers when drafting policies. Merck wants to be compensated under an all-risks policy. These policies are written broadly to cover a wide range of changing circumstances.
The three judges who decided the appeal gave no clear indications of their thinking, though one questioned how Merck could have been the victim of a warlike attack if almost all of the damage occurred in the United States. Heidi Currier, the judge, also pointed out that the war exclusion predates the widespread use of computers by decades.
In addition to the litigation, the insurance industry has taken steps to limit payouts under cyber policies, such as conducting more thorough checks on prospective clients’ security measures. In addition, policy language has evolved. In a memo that goes into effect March 31, Lloyd’s of London says its insurers must make it clear in their policies that they do not cover any state-sponsored cyberattacks in stand-alone cyber policies.
Though the New Jersey case will only have a direct legal impact in that state, other jurisdictions are expected to closely monitor the decision in order to guide their own thinking in similar disputes. No other case involving this issue has received as much attention, according to David Cummings, whose law firm represents insurance buyers who have sided with Merck.
Mondelez International Inc., based in Chicago, sued insurer Zurich American Insurance in 2018 over NotPetya costs that exceeded $100 million, but the case was settled.
The terms of that agreement were not made public.
“Everyone is keeping an eye on this case,” Mr. Cummings said. “This is going to shape the industry in the future.”