Philip He |
Colin Kemp |
The agency noted that cybersecurity authorities in the U.S., Australia and the U.K. assess that "if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model."
It is often difficult to identify the actors behind ransomware attacks, because such attacks are conducted by complex networks of developers, affiliates and freelancers. The attribution behind such attacks also goes beyond private individuals or entities, as nation-states also engage in cyberattacks.
For instance, in 2017, Russia's military intelligence agency launched a malware attack known as NotPetya that affected computer systems worldwide, including those of multinational pharmaceutical company Merck & Co. Inc.
The attack on Merck gave rise to litigation — Merck Co. Inc. et al. v. ACE American Insurance Co. — in which Merck and its captive insurer, International Indemnity Ltd., sued Merck's ultimate insurer, ACE American Insurance Company, for coverage.
Merck alleged that NotPetya spread to 40,000 computers and the damage resulted in losses totaling more than $1.4 billion. During that time, the company had a $1.75 billion all-risks property insurance policy with ACE, which specifically provided coverage for loss or damages resulting from destruction or corruption of computer data and software.
However, ACE denied coverage for NotPetya's damage to Merck's computer systems, relying on a war or hostile acts exclusion to coverage and asserting that such attack was an instrument of the Russian government as part of its ongoing hostilities against Ukraine. Merck sued ACE in the Superior Court of New Jersey in 2021 to recover its losses.
The war or hostile acts exclusion in Merck's policy read as follows:
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack:
a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
b) or by military, naval or air forces;
c) or by an agent of such government, power, authority or forces.
b) or by military, naval or air forces;
c) or by an agent of such government, power, authority or forces.
This policy does not insure against loss or damage caused by or resulting from Exclusions A., B. or C., regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
Merck filed a motion for partial summary judgment seeking a declaration that the war or hostile acts exclusion did not apply. ACE argued that the evidence shows that NotPetya was an instrument of the Russian government falling within the war or hostile acts exclusion and thus barring coverage.
In response, Merck argued that the facts demonstrate that NotPetya "was not an official state action, but rather was a form of ransomware, and moreover that even if it was instigated by Russia to harm Ukraine, the exclusion would still not apply."
On Dec. 6, 2021, the court ruled in favor of Merck, declaring that the war or hostile acts exclusion does not apply under the exclusion's plain meaning and relevant case law. The court emphasized that the language at issue was found in an exclusion, which must be construed narrowly in favor of coverage.
The court then sided with Merck's argument that the exclusion contained language that limited the exclusion to the use of armed force, and that "the exclusion applied only to traditional forms of warfare" involving "de jure or de facto" sovereigns. Looking to the language used in the exclusion — "hostile or warlike action" — the court agreed that Merck maintained a reasonable understanding of this exclusion that involved the use of armed forces.
Additionally, the court noted that no court has applied a war exclusion to a cyber-related attack. The court noted that ACE did not change the language of the war exclusion, which had been virtually the same for many years, to put Merck on notice that it intended to exclude cyberattacks.
Insurers had the ability to do so but because they failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
No two exclusions are the same, and it is important to be attentive to differences in wording, which may be controlling. Indeed, because the headings of exclusions do not control their meanings, it is important to review the actual words of so-called war exclusions to understand their scope.
Likewise, it is important to appreciate the interpretive differences between provisions that provide for specialized coverage when hostilities are occurring and those that purport to limit or eliminate coverage in those circumstances.
The Merck decision has already had a significant impact on insurance underwriting, as insurers have moved to update the language of their war exclusions to explicitly include cyberwarfare.
Beyond cyber policies, some insurers have revised their policies — e.g., property policies — since the NotPetya attacks to add broader cyber exclusions. For example, the Lloyd's Market Association updated its standard exclusion provisions less than two weeks prior to the Merck decision.[2] However, most cyber policies include an exception broadly carving back coverage for cyberterrorism.
Meanwhile, additional NotPetya coverage litigation remains pending. Similar to Merck, Mondelez International Inc. sued its insurer, Zurich American Insurance Company, in Circuit Court for Cook County Illinois in 2018, for refusal to cover costs related to its losses from NotPetya.[3]
The outcome of the Mondelez case remains to be seen, but policyholders should be watching closely. The outcomes of these lawsuits are factors that contribute to changes in the insurance market, where contract language is being revamped to add robust cyber exclusions to bar coverage at the same time insurance premiums are rising in response to the growing trend of cyberattacks on businesses and critical infrastructure.
Policyholders should take notice of certain insurers' expansive changes to war exclusions to broadly include cyberwarfare. Often, policyholders do not know what their insurance covers until they experience a cyberattack.
Given Russia's invasion of Ukraine, the threat of cyberwarfare has arrived and spillover from heightened cyberactivity poses substantial risks. Escalating tensions after Western nations slapped a raft of sanctions on Russia for invading Ukraine could increase the risk of retaliatory systemic cyberattacks, causing damages and losses to businesses.
As businesses prepare for cyberattacks arising from the ongoing conflict, businesses need to understand this heightened risk of an attack that may have wider consequences, including recovery implications for any losses.
Philip He is an associate and Colin T. Kemp is a partner at Pillsbury Winthrop Shaw Pittman LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-040a.
[2] https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx.
[3] Mondelez Int'l, Inc. v. Zurich Am. Ins. Co., Case No. 2018-L-011008 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018).
For a reprint of this article, please contact reprints@law360.com.