Lessons from Merck’s NotPetya victory

Merck & Co.‘s victory in a legal dispute with insurers over coverage for $1.4 billion in losses from the NotPetya ransomware attack of 2017 has significant repurcussions for cyber insurance buyers.

Policy wordings have developed which more clearly confront responsibility for the fallout from nation-state cyberattacks, but the majority of carriers are expected to introduce exclusions.

The pharmaceutical giant sued its insurers in the aftermath of the cyber attack when they denied coverage, citing a policy exclusion for acts of war.

The NotPetya attack was attributed to Russia. It was aimed at Ukraine, but it had a massive impact on companies around the world. 

In addition to Merck, Mondelez also took action against its insurer Zurich. The Mondelez case is ongoing in the Illinois Circuit Court for Cook County.

Lloyd’s cyber exclusion clauses

“The court in New Jersey ruled that the war exclusion clause did not apply because it applied to armed conflict rather than cyber warfare,” said Peter Groucutt, co-founder at Databarracks.

“The timing of this ruling is particularly interesting because it comes just after Lloyd’s issued its new cyber war and cyber operation clauses,” he added. ”The new clauses from Lloyd’s favour the insurers with broader definitions of cyber activities that can be excluded from coverage.”

“There is a lot going on between nation states that doesn’t qualify as ‘war’. Occasionally that spills over and affects organisations who might want to claim on their cyber insurance (as with NotPetya).”

Attribution remains a challenge because it is not always clear who was responsible for an attack.

”There is understandably a lot of deception in cyber warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations,” says Groucutt. “These clauses allow the insurer to determine attribution if the government does not or ’takes an unreasonable length of time to’. That seems to be a dangerous case of checking one’s own homework.”

Bubbling threat landscape

Meanwhile, the threat has not diminished. In fact, CyberCube’s latest Global Threat Briefing warns that cyber hostilities between Israel and Iran, India and Pakistan and China and Japan could spill into other regions or lead to the development of new attack vectors.

William Altman, CyberCube’s principal cyber security consultant, said: “We monitor these regional cyber conflicts for indications that the boundaries of acceptable behaviour have been pushed past historic precedent.

”We’ve seen how this played out in the past with Russia’s critical infrastructure attacks on Ukraine. Common activities to observe in these hotbeds include espionage, disruption and destruction. They’re real breeding grounds for new modes of attack.

“Espionage attacks are currently still more prevalent than destructive attacks. However, increasingly there are nation state threat actors who are financially motivated and focused on intellectual property theft as well as ransom. In particular, researchers have noted the rise in ransomware operations emanating from North Korea and Iran.”

Healthcare and manufacturing among industries at risk

The report also identifies four industries that CyberCube believes will be targeted by cyber criminals – especially ransomware actors – in 2022. These are: healthcare, education, manufacturing and utilities. It also expects to see ransomware threat actors targeting software supply chains.

The report also states the global proliferation of ransomware has now reached the scale at which claims are outpacing premiums. Against the backdrop of a hardening cyber insurance market this is also a concern for buyers.

Darren Thomson, CyberCube’s head of cyber security strategy, said: “This year will certainly be an active one for cyber security and the insurance industry. New levels of cooperation between nation state actors and criminal gangs will likely be emerging and new thresholds of acceptable tolerances will be tested at the nation state level.

“This will certainly lead to collateral damage that will impact business. The big question is: how can a company grapple with a complex threat landscape and maintain profitability amidst what is a hardening market for cyber insurance?”