Why Insurance Companies Don’t Want to Pay Out for Cyberattacks

More than a decade ago, the U.S. Department of Defense determined that computer sabotage could be considered an act of war, but it did not say which cyberattacks, specifically, would meet this threshold. To date, no clear consensus has emerged about what constitutes cyberwar or how it should be defined. That’s how the pharmaceutical company Merck ended up in a legal battle with its property insurers over more than $1 billion in claims related to the 2017 NotPetya cyberattack, which Russia targeted at Ukraine but which spread rapidly to shut down computer systems for hundreds of companies worldwide.

For an insurance-claim-related lawsuit surrounding boilerplate text in a contract, this was a major legal decision, one that would decide whether or not insurers would have to pay up for cyberattacks under their enormous property and casualty policies. Those policies had long included language that explicitly said insurers didn’t have to pay for damage caused by “hostile or warlike” acts, but when it came to NotPetya it wasn’t clear whether that language actually applied—the cyberattack had been launched by a nation, but was it really warlike? The increasingly belligerent geopolitical milieu adds to the urgency of this question, even if the answer seems to be buried in the bowels of the fine print of insurance contracts.

The group of insurers that sold Merck its $1.75 billion of property insurance denied the company’s claim for NotPetya-related losses on the grounds that NotPetya was a “hostile or warlike action” of the sort excluded by the insurance policy. But in December 2021, in New Jersey, a judge ruled in favor of Merck, finding that the insurance exclusion did not apply to NotPetya and Merck was therefore owed the full amount of its claim. Merck argued in court that it believed the exclusion only applied to the “use of armed forces,” and the judge agreed that given the language in the exclusion, “Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”

The relevant standard language that appeared in Merck’s property insurance (and that appears in most other property coverage) excludes any coverage for “Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack: (a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces; (b) or by military, naval, or air forces; (c) or by an agent of such government, power, authority, or forces.”

If the exclusions in the policy had been more narrowly tailored to specify that they applied to state-sponsored cyberattacks, then the outcome of the case might well have been different.

In going through the relevant case law, in the ruling, the judge pointed to several previous disputes over the applicability of the war exclusion clause to other types of attacks, including terrorist hijacking of planes, missiles fired by Hamas, and ship collisions, among others. Many of these were also deemed by courts not to be traditional warfare of the sort to which the insurance exclusion would apply, even though almost all of them involved significant physical violence, unlike NotPetya. But when there is ambiguity in an insurance policy’s coverage, courts generally rule in favor of the insured, rather than the insurer, which is precisely what happened here.

By declaring that NotPetya, a clearly military attack by Russia on Ukraine in 2017, did not rise to the level of armed conflict, the judge jumped right into the middle of the ongoing debate on how to define cyberwar and cyberattacks, and whether what happens on the internet is “real”—even if NotPetya did cause 20 percent of global shipping to grind to a halt for weeks. In comparison, when the Ever Given got stuck in the Suez Canal it halted 12 percent of world shipping for about six days, but that stands out more in people’s memories due to the arresting visual images.

What’s important about the recent victory for Merck in its long-running suit against its property insurers is that the judge said, essentially, that Russia launching NotPetya was not a traditional use of armed forces and therefore should not be considered “warlike.” In particular, the judge called out the insurers for failing to change the language in their war exclusion to explicitly reference cyberattacks. If the exclusions in the policy had been more narrowly tailored to specify that they applied to state-sponsored cyberattacks, then the outcome of the case might well have been different.

In the Merck ruling, the judge cited a passage of the 1922 ruling and even bolded one sentence from it: “Remote consequences of hostilities cannot become a recoverable loss [under war risk insurance], even if they may be said to be proximately caused by something itself ascribable as a consequence of hostilities.” Because the damages were not covered under war risk insurance in that case, they were covered by the marine policy.

The Merck ruling does not elaborate on this logic, but it has been echoed by other, earlier insurance disputes as well. For instance, in Pan American World Airways, Inc. v. Aetna Casualty & Surety Co., surrounding the insurance coverage for Pan Am Flight 93, which was hijacked by members of the Popular Front for the Liberation of Palestine in 1970, the Second Circuit again found that the hijacking would not be considered an act of war because it took place in Cairo. The hijacking could not be considered a “warlike operation” for insurance purposes, the court ruled, because “that term does not include the inflicting of damage on the civilian property of non-belligerents by political groups far from the site of warfare.” What were the losses caused to Merck by NotPetya if not precisely that?

The coordinated attribution statements by many governments, including the United States, the United Kingdom, and Canada, blaming Russia for NotPetya have made abundantly clear that the cyberattack was the act of a sovereign power. That’s probably why so many insurers thought this would be a good example to use in an effort to clarify in court that property insurance does not apply to losses resulting from state-sponsored cyberattacks. However, the judge ruled that in this case, the question was not whether there was a government behind NotPetya but rather whether the damage done by the malware—which was certainly extensive—rose to the level of a “hostile or warlike action.”

Read More

Russia Can Win in Ukraine Without Firing a Shot

If the Kremlin can make Ukrainian businesses uninsurable, it will destroy the economy.

Argument |

Elisabeth Braw

What Can Insurance Tell Us About the Capitol Mob?

And how Biden can use economic theory to stave off more riots.

Argument |

Timothy R. McDade

Ukraine’s Counteroffensive Against Forced Russian Citizenship

Moscow ramped up its efforts to make Ukrainians Russian. Ukraine is planning to fight back.

Dispatch |

Maxim Edwards

Sponsorship by “any government or sovereign power” is one of the criteria for the insurance exclusion, but it was not the decisive one in the judge’s eyes. Insurers had hoped that if they won this case it would send a clear signal that they did not have to cover damages related to other state-sponsored attacks under property and casualty policies, but instead, the court decided that the definition of war is narrower than attacks by nation-states—those attacks have to include the use of armed forces.

It’s important that the NotPetya attack can be pinpointed in geographical terms. Much of the world’s law and military doctrine around conflict is defined in terms of borders and whether a conflict is confined to a geographic area or has spilled over into neighboring territories. Because NotPetya’s Russian origin and Ukrainian targeting is so clear and so accepted internationally, it also means that the court can clearly define Merck as being neither in the relevant countries at the time nor an intended target of a military attack. The most meaningful way to define Merck in terms of its status in this conflict is to call it a civilian, nonbelligerent company completely outside the realm of conflict.

The damage that Russia did to Ukraine’s critical infrastructure with NotPetya was the result of a warlike action—the malware caused significant real-world impacts in the context of a geopolitical conflict. But NotPetya’s impacts were not confined to Ukraine—far from it. And the damage that same malware did outside the context of the Russia-Ukraine conflict was not targeted or a deliberate act of cyberwar: It was undoubtedly disruptive and expensive and disastrous, but Merck and other victims were not party to the warlike conflict between two nations—a conflict that is currently seriously escalating.

But there is currently no good way for talking about and dividing up the different impacts of a single piece of code in the context of insurance claims, so the question becomes misleadingly binary: Was NotPetya’s impact an act of cyberwar or not? Merck wasn’t specifically targeted by NotPetya; it was a noncombatant outside the theater of war, but that doesn’t mean a war wasn’t and isn’t going on.

In that sense, the Merck ruling is only the start, not the end, of insurers trying to sort out how exactly they do—and do not—want to provide coverage for large-scale cyberattacks in a market that is still struggling to come to grips with a set of risks that have so far largely defied traditional actuarial tools of measurement and modeling.

The New Jersey ruling is interesting and significant for several reasons. Most immediately, there are other ongoing lawsuits about whether or not insurers will have to cover NotPetya-related losses under property insurance policies. For instance, multinational food company Mondelez is currently involved in a similar dispute with its insurer Zurich. The Merck ruling is a strong signal to insurers that they are probably on the hook for those losses, even though the NotPetya attack has been widely attributed to the Russian government as part of its ongoing and escalating conflict with Ukraine.

Future damages from cyberwar could become much more difficult for firms to recoup via insurance, and the costs  may instead fall squarely on the business, the shareholders, and the business country of origin.

More than that, it’s a signal that insurers will be on the hook to cover losses associated with state-sponsored cyberattacks under property insurance policies unless they change the language in those policies. That’s a big deal because over the course of the past few years insurers have been aiming to consolidate cyberwar-related losses under standalone cyber-insurance policies. Those cyber-specific policies often have much lower limits and are typically capped at tens of millions of dollars, unlike property policies, which can often surpass overall limits of more than a billion dollars, as Merck’s did. That’s why Merck wanted to file a claim for NotPetya under its property insurance, not just its cyber-insurance.

Insurers will have to move quickly now to rewrite the language in their property insurance exclusions to make sure they don’t have to cover such losses under enormous property policies in the future. However, this rewriting could mean that potential damages from cyberwar will become much more difficult for businesses to recoup via insurance, and the costs of those damages may instead fall squarely on the business, the shareholders, and the business country of origin.

For the everyday people and businesses that have been impacted by acts of cyberwar spilling over borders into their homes and hospitals and businesses, having a legal system that understands the very real impacts of cyberweapons and appropriately applies case law is going to be increasingly important.

The New Jersey decision is an example of a judge who thinks what happens on the internet isn’t real. That makes for bad law, even if the correct decision was reached.