A New Jersey judge last month said such clauses covered “traditional” war—physical, not cyber, activity. The decision, which came more than three years into a legal battle between pharmaceutical giant Merck & Co. and its property insurers, could have implications for who foots the bill for digital fallout from potential Russian cyberattacks against Ukraine in the present conflict.
The geopolitical standoff highlights legal gray areas around modern warfare, which increasingly threatens to disrupt faraway corporate computer networks, security and insurance experts say. The prospect of Russia-linked cyberattacks that could spill out of Ukraine has also raised the stakes for businesses trying to understand what their insurance covers, as well as for insurers that fear a cascade of claims at once.
“The insurance industry, like many others, is one big pendulum between fear and greed,” said Joshua Motta, chief executive of insurer Coalition Inc., which offers cyber-specific coverage. Mr. Motta said costly ransomware attacks in recent years have nudged the pendulum toward fear and pushed some insurers to ramp up prices or curtail coverage of cyber incidents generally.
Hackers recently disabled Ukrainian government computer networks and defaced official websites, leading Washington to warn of escalating breaches that could allow attackers to jump from initial targets in Ukraine to U.S. businesses.
While Ukrainian officials have blamed Russia for the hacks, the Kremlin has denied involvement, hinting at the difficulty of tying cyber activity to broader military campaigns. White House Press Secretary Jen Psaki on Wednesday said the U.S. could respond to future Russian cyberattacks in kind.
“But I’m not going to get into a hypothetical” about whether such hacks could constitute acts of war, she added.
Cybersecurity experts in recent weeks have warned of incidents similar to the Russian military’s 2017 hack of a Ukrainian tax-preparation firm. That incident rippled across connected computer networks to disrupt businesses including U.S. delivery firm FedEx Corp. and Danish shipping company A.P. Moller-Maersk A/S.
Kenilworth, N.J.-based Merck, which said it incurred $1.4 billion in costs as part of the so-called NotPetya hack, sued its property insurers for breach of contract after they denied coverage under general exclusions for acts of war. Last month, Judge Thomas Walsh of the Superior Court of New Jersey issued a partial ruling in the pharmaceutical company’s favor, in part because the clauses didn’t specifically cite cyberattacks.
“Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare,” Judge Walsh wrote. He added that the source of the attack was irrelevant.
Merck didn’t respond to requests for comment.
A similar case in Illinois could play out differently, said Judy Selby, a partner at Kennedys Law LLP who focuses on insurance.
Chicago-based Mondelez International Inc., which makes Ritz crackers and Oreo cookies, sued property insurer Zurich American Insurance in 2018 over NotPetya costs that the snackmaker said surpassed $100 million. In a court filing last week, Zurich American Insurance criticized the ruling in the Merck case in part because it failed to grapple with attribution of the NotPetya hack to the Russian military and treated hacks as a unique form of warfare.
Cyberattacks “have been part of the arsenal of weapons available to and used by nation states—particularly Russia—for many years,” said lawyers for Zurich American Insurance.
Zurich declined to comment further. Mondelez didn’t respond to a request for comment.
The insurance industry continues to wrestle with cyber risk as more of daily life moves online and technology providers grow more connected. In November, Lloyd’s Market Association, a trade group, published four first-of-their kind recommendations for how insurers can articulate act-of-war exclusions that cover hacks. Insurance experts say it is unclear how many insurers have adopted such language.
The Biden administration in recent months has looked to insurers to take a more prominent role in incentivizing companies to shore up their computer systems. Some cyber-specific insurers hope their in-house security expertise can help businesses avoid disruptive hacks and subsequent claims.
At Coalition, Mr. Motta’s team has been evaluating customers’ vulnerability to potential Russia-linked hacks in part by analyzing the Ukrainian government’s technology vendors, which could act as vectors for subsequent attacks. Coalition also has warned clients with particular exposure to the conflict, such as defense contractors or foreign-aid organizations, to harden their systems.
Policies offered by Mr. Motta’s firm exclude acts of war, as designated by a government, but cover cyber terrorism.
“Most of these things are incredibly ambiguous and, in fact, attribution is remarkably difficult,” he said. “For all intents and purposes, nation-state related things that are going to affect our customers are going to be covered, unless it’s outright declared as an act of military action or war.”
This story has been published from a wire agency feed without modifications to the text