Over the past few years, ransomware attacks have increased in frequency and demand size. And, increasingly, those attacks have targeted businesses and critical infrastructure organizations from across the globe. This trend is likely to continue. The Cybersecurity & Infrastructure Security Agency noted that cybersecurity authorities in the United States, Australia and the United Kingdom assess that “if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.”
It is often difficult to identify the actors behind ransomware attacks, because such attacks are conducted by complex networks of developers, affiliates, and freelancers. The attribution behind such attacks also goes beyond private individuals or entities, as nation states also engage in cyber attacks. For instance, in 2017, Russia’s military intelligence agency launched a malware attack known as NotPetya that affected computer systems worldwide, including those of multinational pharmaceutical company Merck & Co.
The attack on Merck gave rise to litigation in which Merck and its captive insurer, International Indemnity Inc., sued Merck’s ultimate insurer, ACE American Insurance Company, for coverage. Merck alleged that NotPetya spread to 40,000 computers and the damage resulted in losses totaling more than $1.4 billion. During that time, the company had a $1.75 billion “all risks” property insurance policies with ACE which specifically provided coverage for loss or damages resulting from destruction or corruption of computer data and software. However, ACE denied coverage for NotPetya’s damage to Merck’s computer systems, relying on a “War or Hostile Acts” exclusion to coverage, and asserting that such attack was an instrument of the Russian Government as part of its ongoing hostilities against Ukraine. Merck sued ACE in the Superior Court of New Jersey to recover its losses.
The War or Hostile Acts exclusion in Merck’s policy read as follows:
- Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack:
- by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
- or by military, naval or air forces;
- or by an agent of such government, power, authority or forces;
This policy does not insure against loss or damage caused by or resulting from Exclusions A., B. or C., regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
Merck filed a motion for partial summary judgment seeking a declaration that the War or Hostile Acts exclusion did not apply. ACE argued that the evidence shows that NotPetya was an instrument of the Russian Government falling within the War or Hostile Acts exclusion and thus barring coverage. In response, Merck argued that the facts demonstrate that NotPetya “was not an official state action, but rather was a form of ransomware, and moreover that even if it was instigated by Russia to harm Ukraine, the exclusion would still not apply.”
The court ruled in favor of Merck, declaring that the War or Hostile Acts exclusion does not apply under the exclusion’s plain meaning and relevant case law. The court emphasized that the language at issue was found in an exclusion, which must be construed narrowly in favor of coverage. The court then sided with Merck’s argument that the exclusion contained language that limited the exclusion to the use of armed force, and that “the exclusion applied only to traditional forms of warfare” involving “de jure or de facto sovereigns.” Looking to the language used in the exclusion—“hostile or warlike action”—the court agreed that Merck maintained a reasonable understanding of this exclusion that involved the use of armed forces.
Additionally, the court noted that no court has applied a war exclusion to a cyber-related attack. The court noted that ACE did not change the language of the war exclusion, which had been virtually the same for many years, to put Merck on notice that it intended to exclude cyber attacks. Insurers had the ability to do so but, because they failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
No two exclusions are the same, and it is important to be attentive to differences in wording, which may be controlling. Indeed, because the headings of exclusions do not control their meanings, it important to review the actual words of so-called “war” exclusions to understand their scope. Likewise, it is important to appreciate the interpretive differences between provisions that provide for specialized coverage when hostilities are occurring and those that purport to limit or eliminate coverage in those circumstances.
The Merck decision has already had a significant impact on insurance underwriting, as insurers have moved to update the language of their war exclusions to explicitly include cyber warfare. Beyond cyber-policies, some insurers have revised their policies (e.g., property policies) since the NotPetya attacks to add broader cyber exclusions—such as Lloyd’s, which updated their standard exclusion provisions less than two weeks prior to the Merck decision. However, most cyber policies include an exception broadly carving back coverage for “cyber terrorism.”
Meanwhile, additional NotPetya coverage litigation remains pending. Similar to Merck, Mondelez International Inc. sued its insurer, Zurich American Insurance Company, in Circuit Court for Cook County Illinois, for refusal to cover costs related to its losses from NotPetya. The outcome of the Mondelez case remains to be seen, but policyholders should be watching closely. The outcomes of these lawsuits are factors that contribute to changes in the insurance market, where contract language is being revamped to add robust cyber exclusions to bar coverage at the same time insurance premiums are rising in response to the growing trend of cyber attacks on businesses and critical infrastructure.
Policyholders should take notice of certain insurers’ expansive changes to “war” exclusions to broadly include cyber warfare. Often, policyholders do not know what their insurance covers until they experience a cyber attack. Policyholders should work with experienced counsel to evaluate coverage when purchasing their policies and assess how policy provisions will be impacted by these and other caselaw developments.
Insuring a King’s Ransom: The Role of Cyber Insurance in Ransomware Risk Management
Cyber Coverage by any Other Name Can Smell as Sweet: Maryland Court Rules Traditional Property Policy Covers Loss of Data and Impaired Computer Equipment After Ransomware Attack.