Cyber war debate rumbles on as Merck settles with insurers
Merck’s settlement with its insurers early this year draws a line under NotPetya cyber insurance coverage disputes, but insurance buyers remain frustrated by the market’s inconsistent approach to cyber war, experts have told Commercial Risk.
US pharmaceutical company Merck reached a last-minute settlement with insurers in January over its disputed claim under its property policy for losses related to the 2017 NotPetya cyberattack, which US and European authorities attributed to Russia.
In May last year, a New Jersey appellate court upheld a prior ruling in favour of Merck that the insurers could not use war as an argument to deny coverage for NotPetya losses. Insurers were subsequently given permission to appeal, but the settlement was announced just before the appellate court ruling was due to be reviewed by the New Jersey Supreme Court in January this year. The terms of the settlement are confidential.
Merck’s NotPetya losses were said to total $1.4bn, with its insurers denying coverage under the “hostile/warlike action” exclusion. Initially, more than 30 insurers denied cover, but most have since resolved their claims. Chubb and seven other insurers – representing around $700m in coverage – took their appeal to the Supreme Court. They have now settled.
The fact that Merck settled does not mean that coverage issues addressed by the case are unresolved, according to Julian Miller, partner at London-based law firm DAC Beachcroft. In particular, the courts examined the efficacy of a general war exclusion in the context of a cyberattack, he explained.
“The appellate decision still stands undisturbed. [For now] That is the final and only word on general war exclusions in the context of a cyberattack. The appellate ruling has binding authority in the state of New Jersey and persuasive value in other state and federal jurisdictions,” said Miller.
In its May 2023 judgement, the New Jersey appellate court said that if insurers had intended to exclude cyber from Merck’s policy, they should have explicitly done so, which was not the case. “Although there is no precedent considering the hostile/warlike action exclusion, our Supreme Court has consistently required the need for plain language pertinent to the situation to permit the enforcement of an exclusion,” the ruling said.
“In considering the plain language of the exclusion, and the context and history of its application, we conclude the insurers did not demonstrate the exclusion applied under the circumstances of this case, namely, that this cyberattack was a ‘hostile’ or ‘warlike’ action as contemplated under the exclusion. Therefore, we affirm,” it added.
The Merck settlement effectively draws a line under the big insurance coverage disputes triggered by the NotPetya cyberattack. Confectionary maker Mondelez also settled its NotPetya cyber coverage dispute with Zurich Insurance in 2022.
However, the wider issue of cyber insurance and nation-state attacks has yet to be resolved and new coverage disputes have emerged. Last year, Viasat Inc filed an insurance coverage lawsuit against Lloyd’s underwriters related to losses incurred by the US-based broadband satellite internet service provider following a suspected Russian cyberattack hours before the invasion of Ukraine in 2021.
The NotPetya cyberattack, and subsequent coverage disputes, sparked a debate around contract certainty for cyber losses, both in traditional and cyber insurance policies. Since then, regulators and insurers have moved to address non-affirmative or ‘silent cyber’ in traditional insurance, while the cyber market has generally looked to exclude losses from cyberattacks caused by nation states and terrorist groups.
From 31 March 2023 all standalone cyber policies written at Lloyd’s must exclude liability for losses arising from state-backed cyberattacks. The Lloyd’s Market Association (LMA) published a suite of model exclusions in 2021, subsequently revised in 2023, that Lloyd’s deemed compliant with its requirement. Other insurers and brokers have developed modified cyber war exclusions or use traditional war language.
Cyber insurance buyers are frustrated by the current situation, according to Serena France-Hayhurst, Marsh’s UK Cyber placement leader. Marsh has previously highlighted a lack of insurer consensus on cyber war exclusions, and criticised the LMA clauses for their use of ambiguous terms and methods of attribution, which could result in confusion and lack of contract certainty.
“Our clients continue to invest in cyber insurance and resiliency, and valid cyber claims continue to be paid with very few disputes of which we are aware. Clients, however, remain frustrated at the mixed signals being sent by Lloyd’s, reinsurers and others, along with unclear articulation of the intent behind some of the new exclusionary language introduced over the past 24 months,” she told Commercial Risk.
A combination of LMA and traditional war language is the preferred approach for large insureds, according to France-Hayhurst. However, Marsh continues to “execute” on it client’s “bespoke strategies” and has developed LMA-compliant language for companies that wish to use Lloyd’s, she added.
The market – reinsurers, insurers and brokers – has yet to land on a common approach to cyber war, although progress has been made, according to Miller. “The debate rumbles on. The volume of debate is decreasing, but the issue has not gone away and if there was another significant cyberattack believed to be state backed, and a coverage dispute emerges, we can expect that this issue will be resurrected,” he said.
The market has further to go to tackle the issue of cyber war, explained Miller. The LMA’s model wording, for example, is not easily transposed to other jurisdictions, such as those operating under a civil code. The debate on cyber war coverage is also subject to commercial pressures and market conditions, the cyber insurance market is currently softening, and is shaped by geopolitical events.
“The first [cyber war] clauses were written in 2021 and we are little over two years on from that. This is a significant challenge for the insurance market, and insurers and brokers have done well to address the issue to the extent it has…The proliferation of [cyber war] clauses is both a blessing and a curse. It can cause confusion, but it also implies there are a number of options available to insureds. It will take time for the cyber market to mature,” said Miller.
France-Hayhurst agreed that the market has made progress. But there is much left to do, and not just on cyber war, with coverage challenges in areas like critical infrastructure and systemic risks, she added.
“The root issue pertains to the [insurance] industry’s concern, appropriately or not, of a catastrophic cyber event that could cause financial ruin; NotPetya was the catalyst, and has been attributed to a nation state, which in part is why this issue has been reduced to concerns over ‘cyber war’. The market is moving towards a shared lexicon, however much work remains on this front, and the issues have not been fully resolved,” she said.
By focusing on mandates and exclusions, the insurance industry has not yet developed solutions to the wider issue of systemic and catastrophic cyber claims, continued the broker. “The focus on ‘cyber operations’ has distracted the industry and the current approach of mandates stifled the development of innovative and creative solutions, which are now starting to gain momentum again,” she said.
