The potential agreement between Merck & Co. and their insurers concerning a $1.4 billion demand stemming from the NotPetya assault will redefine how the insurance sector phrases their war exclusion clauses in their policies. Organizations must evaluate the implications of these modifications on risk, stated lawyer Peter Halprin.
This settlement puts an end to a long-standing legal battle between Merck and multiple insurance firms who were contesting a 2023 court ruling. The ruling stated that the insurers couldn’t use the “hostile warlike action” clause to deny covering the pharmaceutical behemoth’s claims following the NotPetya cyberattack in June 2017. This attack also affected numerous other global companies, including the shipping titan, A.P. Møller – Maersk – and the snack food corporation, Mondelez. The total cost incurred due to the NotPetya incident is generally pegged at around $10 billion globally.
The insurance providers of Merck argued that the NotPetya malware was a strategic move by Russia amidst its continuous dispute with Ukraine. However, they recently withdrew their appeal in the Supreme Court of New Jersey to object a verdict from an appellate court in May. This verdict sustained a previous court’s decision which stated that the warlike exclusions were not applicable to the losses suffered by Merck.
The specific phrasing of the war exclusion clause in Merck’s “all risk” policies did not mention cyberattacks, cyber wars, or cybercrimes. Therefore, according to Halprin, a partner at the Haynes and Boone law firm, the exclusion should be understood in the same way as conventional war exclusions and property policies, which typically focus on physical conflicts or armed warfare.
The evolution at Merck will shape how insurance companies construct their policies, he articulated. Merck serves as a case study in structuring policy terminology and phrasing – emphasizing the need for precisely crafted exclusionary language, he added.
In the face of emerging war exclusions in the market, it’s crucial that customers and their brokers team up with insurance providers. The aim is to make certain that if there’s going to be any exclusionary wording related to cyber warfare, it should be incredibly precise, restricted and focused.
The disagreement involving Merck underscores the intricacy of pinpointing specific culprits in cyber incidents when seeking to implement exclusions, as stated by Halprin.
“The primary concern emerging from much of the recent exclusionary jargon revolves around the idea of attribution, particularly if a cyberattack can be traced back to a specific country. This would liken it more to a conventional war as opposed to actions of a criminal group or an individual perpetrator,” he expressed.
At times, one can identify instances of a government-backed hacking group’s involvement. However, in certain nations, criminal hacking collectives exist that are subtly linked and even unofficially endorsed by the government, as per our observations.
“They are aware that they’re pilfering funds from Americans, and they’re widely recognized as adversaries. However, it’s not always explicitly orchestrated by the national government itself, which is why determining responsibility becomes incredibly complex.”
During this conversation with the Information Security Media Group, Halprin also delved into:
Halprin holds a partnership position at Haynes Boone’s insurance recovery division, based in their New York branch. His experience spans arbitration, litigation, and mediation of claims across a variety of insurance policies, resulting in the retrieval of hundreds of millions in insurance funds. Apart from his professional duties, Halprin also imparts legal knowledge as a part-time lecturer at the Benjamin N. Cardozo School of Law. Prior to his current role, he was a partner at the law firm Pasich LLP.