CyberGuide - Information Security and Cyber Risk Management



Merck-y waters: NJ court decision keys into ongoing work on war, aggregation, and silent cyber

By Erin Ayers, Advisen

A New Jersey court’s recent decision on the clash between traditional war exclusions and cyber-related damages shines a brighter light on the insurance industry’s long-term efforts to provide meaningful coverage against state-sponsored cyberattacks while drawing a clear line on truly uninsurable events.

In Merck & Co., Inc. et al. v ACE American Insurance Company et al., a New Jersey superior court judge decided the longstanding war exclusion language should not bar the plaintiff pharmaceutical firm’s estimated $1.4 billion in damages due to a June 2017 cyberattack. The NotPetya malware event, widely attributed to the Russian government with Ukrainian critical infrastructure as the intended target, also snared corporations around the world.

After Merck’s property insurers denied its claim, citing the exclusion for losses caused by “hostile or warlike action in time of peace or war,” the pharma giant sued. Judge Thomas J. Walsh of the Union County Superior Court said he “unhesitatingly” agreed with Merck and chastised insurers for not updating their policy language to reflect the rising risk of digital warfare.

The decision quickly met with criticism – Judy Selby and Joshua Mooney, partners at Kennedys law firm, penned a scathing analysis of the decision, noting, “We are not going to be coy about this – we think this decision is wrong.”

They added, “There are many problems with this reasoning, the first being that, except for one case, the court relied upon case law decided before the Internet or even the word ‘cyber’ existed.”

The Merck ruling “may not be of great precedential value to other courts in other states,” Selby told Advisen in a recent interview. The court’s reliance on Merck’s “reasonable expectations” and interpretation of the exclusion as applying only to traditional forms of warfare could carry less weight in other jurisdictions considering similar cases.

“This is not a brand-new concept that nobody was aware of,” said Selby. “There’s new weaponry here, but it was still a hostile or war-like action.”

On appeal, she said, “the insurers have a plethora of really strong arguments to raise.”

Appeal sought

The American Property Casualty Insurance Association (APCIA) filed an amicus brief in support of interlocutory appeal for the defendants in Merck, highlighting the “pressing need for clarity about the bounds of coverage for incidents of cyberwarfare.” The court misapplied state insurance law to arrive at a “cramped interpretation,” APCIA said.

“By imposing a limitation not found in the terms of the exclusion, the decision below creates great uncertainty in the application of a widely-used provision, which insurers rely on to protect against aggregated and uninsurable risk,” the trade group said.

However, rather than raising a new concern, this case marks the latest development in a yearslong project for the global insurance industry. Merck’s lawsuit and a similar, as-yet-undecided one brought by snack manufacturer Mondelez International speak to broader industry efforts to eliminate ambiguity in insurance policies not meant to cover cyber losses – known as “silent cyber” initiatives that date back to around 2015. Lloyd’s of London and the UK Prudential Regulatory Authority (PRA) as well as New York financial regulators have pressed the industry to affirmatively cover or expressly exclude cyber as a covered peril under traditional insurance policies, and most insurers have undertaken reviews to clarify intent behind their policies.

Not-so-silent all these years

Years before NotPetya, the threat of cyber-related losses on non-cyber policies had already surfaced. Notable events include the massive 2011 Sony PlayStation hack that saw the entertainment firm seeking coverage under its commercial general liability (CGL) policy and, in more recent years, a host of court decisions finding coverage for ransomware events under businessowners policies or business email compromise under crime policies.

As one of the first major international insurers to announce a silent cyber initiative, Allianz Global Corporate & Specialty has spent years reviewing all policies to remove ambiguity, according to Marek Stanislawski, AGCS’ global cyber underwriting lead and chief underwriting officer for financial lines. It occupied much of the AGCS cyber team’s time throughout 2018 and 2019, he told Advisen.

“Fast forward to two years later, the landscape has definitely stabilized,” he said. Brokers and clients have become accustomed to silent cyber being part of renewal conversations and “those discussions are now much more common and calm,” said Stanislawski.

The elimination of silent cyber and war exclusions go hand-in-hand, and while they do remain distinct, silent cyber initiatives have helped to achieve certainty for both buyers and insurers. They also serve to ensure application of traditional war exclusions is less likely to be debated for events clearly excluded for coverage from conventional property/casualty policies. The industry-wide project continues to evolve as new issues arise and courts reflect on policies in use in the market.

Standing together for standalone

There’s a further distinction between war exclusions on traditional insurance policies and those on standalone cyber policies. Dedicated cyber coverage is designed to respond to some state-sponsored cyber events – and did in fact respond to the NotPetya event — while drawing a line at system-destabilizing disasters tied to geopolitical conflict.

“Here, there’s still quite a lot of work to do in order to achieve consensus,” said AGCS’s Stanislawski. Merely defining cyber warfare or cyber terrorism presents myriad complexities, and an industry-wide agreement on terms would be most effective.

“Any attempt to classify cyber warfare in a sense that it’s affecting multiple parties, rather than focusing on attribution, is probably the right one to explore,” he said, adding that language that can be updated to evolve with the risks is preferable.

In a series of recent reports, the Geneva Association outlined the challenges facing the industry on hostile cyber activity, including difficulty of attribution and the wide range of potential attacks, targets, and ultimate impacts. Given the risk of billions in losses for insurers, the Association advocated for a public-private partnership (PPP) or government backstop to ease uncertainties.

“PPP blueprints are already in place in several countries to share exposures to natural catastrophe as well as terrorism risks and nuclear risks,” commented Jad Ariss, Geneva Association managing director, and Christopher Wallace, CEO of the Australian Reinsurance Pool Corporation, in a report. “Cyber risk comes with its own set of complexities, yet the constraints on the private re/insurance sector’s capacity to absorb losses from an extreme cyber incident are becoming increasingly obvious.”

In December 2021, the Lloyd’s Market Association issued model exclusions designed to minimize confusion for market participants. While not mandatory, they raised concerns for brokers and buyers, according to recent commentary from Marsh. The broker cited confusing definitions and potential conflict with existing exclusions.

Exclusions, whether for war or other perils, are always a concern for brokers, according to John Farley, managing director of Arthur J. Gallagher’s global cyber liability practice.

“Our role as brokers is to negotiate coverage with the widest terms possible while narrowing the scope of exclusions. Negotiating carve-back language to cover for cyberterrorism is one such example,” he told Advisen in an email. “In the current cyber environment of geopolitical tensions, risk managers around the globe must understand that geopolitical risk will heighten cyber risk and that cyber risk and supply chain risk will be forever intertwined.”

Farley added, “More often than not, attribution for cyberattacks is difficult, if not impossible. Even when a nation-state is suspected of carrying out an attack they always deny responsibility. IT forensics investigators may be able to narrow down the geography of the attack, but they can rarely point to the exact individual/hacker behind the keyboard. Therefore, it is near impossible to confirm with 100% certainty that it was a nation-state, a particular criminal group or a lone wolf.”

According to Vincent Vitkowsky, partner at Gfeller Laurie LLP, the exclusions address “difficult issues” for the cyber market.

“These exclusions are not perfect. Nothing is,” he said in a recent article. “There is scope for dispute about the terms ‘an inference which is objectively reasonable,’ ‘reference to such other evidence as is available,’ ‘major detrimental impact,’ and ‘essential service,’ among others, as applied to specific facts. But the exclusions reflect a well-reasoned, serious attempt to reduce some of the uncertainties over the scope of coverage for state and state-sponsored attacks.”

Managing Editor Erin Ayers can be reached at [email protected]

Corvus Insurance
SecurityScorecard, Inc.
Advisen