Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. The coverage litigation, Merck & Co. v. ACE American Insurance Co., focused on the key question of whether the policies’ “hostile/warlike” exclusion applied to the NotPetya attack, which some intelligence agencies have attributed to Russian government attempts to destabilize Ukraine. The settlement was announced just a few days before the New Jersey Supreme Court was set to hear oral arguments during an appeal of the New Jersey state appeals court’s affirmance of a 2021 trial court ruling in Merck’s favor. Merck’s insurers had argued that Merck’s losses were barred by a war exclusion, but the New Jersey trial court found that the exclusion did not apply to malware and cyberattacks and instead was intended to apply only to physical acts of warfare between the armed forces of two or more countries. The terms and the amount of the settlement have not yet been disclosed.
While this significant settlement puts an end to the six-year battle for coverage for the pharmaceutical company, there are several key takeaways regarding coverage for cyberattacks that in-house counsel and risk managers should consider in 2024:
- Although the details of the Merck settlement remain unknown, it is noteworthy that Merck obtained coverage for the cyberattack under a property policy. After any cyber incident affecting a company’s business operations, it is important to consider all lines of coverage – not just cyber-specific insurance policies. First party policies may respond to certain types of cyber incidents that damage company infrastructure or interfere with ongoing business operations. Third party policies like CGL, D&O, and professional liability policies may also respond to claims or regulatory investigations arising from a cyber incident. All lines of coverage should be carefully considered after a cyber incident.
- Cyber incidents are sometimes perpetrated by foreign governments or quasi-state actors that may be engaged in armed conflict halfway around the globe. Policyholders should not assume that traditional “war” exclusions drafted during the Cold War necessarily bar coverage for twenty-first century attacks in cyberspace. In light of the New Jersey trial court and intermediate appellate court ruling, policyholders should work with coverage counsel to evaluate and respond to insurer arguments that war or state actor exclusions apply to cyber incidents.
- In response to the Merck litigation and other NotPetya related coverage disputes, the insurance industry continues to add new exclusions to limit their exposure to cyberattacks perpetrated by state actors or in connection with warlike conduct. As we discussed in https://www.propolicyholder.com/2023/02/new-exclusions-limit-insurance-coverage-cyber-attacks/, as of March 2023, Lloyds of London insurers mandated several new exclusions designed to cover cyberattacks, and U.S.-based insurers are increasingly following suit, either through new war or state-actor exclusions specifically addressing cyber exposures, or other language aimed at ringfencing exposure for widespread cyber events. This language is often negotiable.
- Although the terms and conditions of cyber policies vary widely, the threat landscape continues to evolve. Policyholders should carefully review their coverages every year with their brokers and coverage counsel to obtain the broadest coverage possible to mitigate against the risk of catastrophic cyber-attacks.