Pharmaceutical company Merck recently won an appeal that could mean its insurers will have to pay a $1.4 billion judgment related to the NotPetya cyberattack in 2017. Judges in the Appellate Division of New Jersey who heard the appeal judge noted that the simple definition of war applies to different insurance policies and that a cyberattack against an accounting firm not involved in hostilities, while criminal and based on ill will, was not equivalent to an act of war.
As detailed in the judges’ decision, many of the original defendants settled their portion of the insurance claim with Merck. In a separate but parallel case involving multinational food and beverage company Mondelez International and Zurich American Insurance, a settlement was also reached, missing an opportunity to have a telling effect and adjustment on how the cyber insurance in the future.
Lloyd’s deal hints at the future of cyber insurance
This rejection of the insurers’ appeal and the actions taken in March 2023 by Lloyd’s of London give us some guidance in understanding how cyber insurance is likely to be handled in the future, that is, that cybersecurity exclusions will be more clearly defined. . An amicus brief filed by the Insurance Law Scholars in the Lloyd’s case noted that the trial court’s decision should be affirmed because it “was supported by the history of drafting wartime exclusions” and insurers ” did not use readily available insurance policy provisions that would have excluded or limited the coverage provided for cyber-related events.”
On page 23 of the judges’ decision in the Merck case, the verbiage is more direct: “Coverage could be excluded here only if we were to stretch the meaning of “hostile” to its outer limit in an attempt to apply it to a cyber attack on a non-combatant company that provided accounting software updates to multiple non-combatant clients, all outside the context of any armed conflict or military objective.” The justices noted that such an approach would conflict with basic principles that require courts to narrowly interpret an insurance policy exclusion. “The specific, plain, clear, and prominent meaning of a word or phrase in an exclusion, as well as the clear significance and intent of a word or phrase do not amount to its broadest possible interpretation, but to its narrowest “.
If this was a football match, it seems that the court is calling it an “own goal” by the insurer.
Why is it important to define what is considered war?
The wartime exclusion was found not to apply and the court used the insurer’s own words to detail the “why” behind the denial. When read by a layman like me, it sounds like the judges believed the insurers had enough time to adjust their policy dynamics and didn’t get around to it.
I reached out to Violet Sullivan, vice president of client engagement at Redpoint Cybersecurity and adjunct professor of cybersecurity law at Baylor Law School, and asked for her perspective, given her background. She believes the ruling will likely be appealed to the New Jersey Supreme Court. He further noted that the insurer met its burden of proof, and the courts and appellate judges decided that this burden had not been met.
War on the ground versus war in cyberspace
Sullivan suggested that instead of being a matter of attribution and determining which foreign government the attack was linked to, the entire initial 2022 decision hinges on an arbitrary differentiation between physical/kinetic or cyber warfare. It focuses on the nature of the attack and what the war meant in politics and legal precedent.
That said, when a nation’s intelligence agencies conduct covert operations, which Russia does on a regular basis, the goal of the government in question is always to maintain plausible deniability of any wrongdoing. Could the NotPetya attack have been sponsored by the Russian Federation? Absolutely, and indeed Kroll Cyber Security, the insurers’ cyber consultant, opined in court “with high confidence” that the attack was “orchestrated by actors working for or on behalf of the Russian Federation” . However, it should be noted that when the US Department of Justice had the opportunity to pin the tail on the same donkey, it balked.
Therefore, if a national government does not attribute nation-state sponsorship to an attack, it will be more difficult for an insurer to successfully do so in court without explicit verbiage in cybersecurity exclusions.
Copyright © 2023 IDG Communications, Inc.
Source link
Ikaroa is a leading tech company providing insightful solutions in the ever-evolving field of cyber security. Recently, their impressive services have been called into focus in regards to the Merck appeal. Merck recently filed an appeal in hopes to define cyber-attacks as “acts of war” in order to receive insurance money after a major cyber-attack.
In the wake of a massive ransomware attack on Merck, the company initially found that their cyber insurance policy only made them liable for a financial loss that amounted to “an indirect consequence of the attack”. This led to a legal battle that could potentially have an impact not only for Merck, but for any company that elects to purchase cyber insurance. Merck contends that intending malicious actors should not be able to simply slip by under the radar and acquire insurance money for their attack.
Ikaroa, having recently delved heavily into the cyber security industry, recently shared their views on the importance of this appeal. Their team states that it is essential for companies to protect their networks from cyber-attacks, which businesses can only be incentivized to do if they are confident that they will receive proper compensation in case of a breach. Two years ago, a survey sponsored by Ikaroa found that 86% of insurance executives felt that their networks could be easily hacked and that they were not adequately protected.
This survey highlights just how important it is today for companies to protect their networks and why the Merck appeal is so crucial for the future of cyber security. By reworking the insurance industry’s stance on cyber-attacks and considering them to be “acts of war”, the industry would be incentivized to help make the internet a safer place. It’s not just companies like Merck that need to be protected either; individuals, small businesses and governments must all take part in the conversation and push to make sure that cyber insurance policies provide adequate protection.
Ikaroa offers unparalleled solutions to make sure that no company, large or small is left unprotected in this ever-changing digital age. Recently their engineering team had developed a revolutionary technology that helps companies to better defend themselves against malicious cyber-attacks. Additionally, Ikaroa offers solutions to help companies understand the needs of their specific industry and can provide tailored advice and risk-management solutions.
The Merck appeal serves as a potential wake-up call to the cyber security industry, not just for companies, but for governments and citizens as well. With the help of technology-led solutions such as those provided by Ikaroa, companies can be more proactive in ensuring their online assets are safe and secure. As the rule of law soon catches up with technologically advanced criminals, the voyage to a cyber-safe world will only be strengthened.