Cyberliability May be a Bitter Pill to Swallow in Merck v Insurers
Merck and Co., Inc. and International Indemnity LTD v. Ace American Insurance Company et al., New Jersey Civil Part Docket No. L-002682-18, filed August 2, 2018.
On August 2, 2018, pharmaceutical giant Merck filed a civil suit in Union County, New Jersey, state court for declaratory relief and breach of contract against fifteen insurers, and through its wholly owned subsidiary, International Indemnity, against seven reinsurers, for damages resulting from the June 27, 2017, ‘NotPetya’ cyberattack.
Civil Complaint
The complaint alleges that the insurance policies provide coverage for damage to property, specifically for ” … any destruction, distortion, or corruption of any computer data, coding, program, or software. In addition, the Insurance Policies contain a separate insuring agreement for ‘Computer Systems – Non-Physical Damage’.”
The complaint further alleges that on June 27, 2017, Merck experienced a network interruption ‘event’ from a malware / ransomware infection which corrupted their ‘… computer data, coding, program or software …’, caused extensive disruption of its worldwide operations, and thus it suffered damages in excess of the policy deductibles. Interestingly, the complaint does not state that the ‘event’ was caused by the international ‘NotPetya’ cyberattack. Was this language an attempt to dodge any ‘war or terrorism’ policy exclusion?
Merck has requested, in addition to a declaratory judgment in its favor, substantial damages for the ‘event’ losses, pre- and post-judgment interest, attorney fees and costs.
War or Terrorism Exclusion by Insurers
Nevertheless, the defendants have denied coverage claiming that the ‘event’ was an act of war or terrorism excluded under the policies.
NUFIC Defenses
For example, on October 12, 2018, National Union Fire Insurance Company (NUFIC) filed an Answer denying the claims and added affirmative defenses, including (in the Fifth) that acts of war and terrorism were excluded under policy endorsement No. 6, (in the Seventh) that ‘other insurance’ provisions apply to the June 27, 2017, NotPetya cyber-attack, and (in the Eighth) that Merck had to first exhaust coverages under its separate cyber insurance policies before NUFIC could make a final coverage determination.
Zurich American Defenses
Similarly, on October 12, 2018, Zurich American Insurance Company (Zurich) also filed an Answer with Affirmative Defenses, and specifically in the Sixth, asserted Loss or Damage Excluded: “This policy does not insure the following: A. 1. Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack: (a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces; (b) or by military, naval, or air forces; (c) or by an agent of such government, power, authority, or forces; … 3. Loss or damage caused by rebellion, revolution, civil war, usurped power; or action taken by governmental authority in hindering, combating, or defending against such occurrence; … This policy does not insure against loss or damage caused by or resulting from Exclusions A., B., or C., regardless of any other cause or event contributing concurrently or in any other sequence to the loss. … The Hostile or Warlike Action Exclusion.”
Zurich concluded with claims for relief including judgment … “(c) Declaring that the losses alleged in the complaint filed by Merck and International Indemnity are excluded by the Hostile or Warlike Action Exclusion included in the Zurich policy; …”.
For Zurich, this action preceded the Mondelez International v Zurich American Insurance, suit filed in Illinois State Court on October 10, 2018, alleging similar damages from the NotPetya attack.
Case Management Order
The February 19, 2019, Case Management Order in the Merck case specified April 6, 2020, as the deadline for completion of discovery, and June 15, 2020, for initial dispositive motions.
By June 7, 2019, the parties had stipulated to the dismissal of just one defendant, Lloyds London Syndicate 382.
Cyber Hot Potato
These cases could take years to process through the courts and will be watched by the cyber insurance industry with great interest to see how the War and Terrorism exclusions are applied to cyber attacks like NotPetya. Attacks alleged (but not proved) by nation state actors without a formal declaration of war, or official governmental conclusion of terrorism. This determination is the insurance industries’ big-dollar ‘hot potato’ which will eventually fall to the courts to define and decide – possibly as early as the Summary Judgment motions.
Bitter Cyber-pill
In conclusion, taking the facts as alleged to be true, and that the NotPetya cyber-attack was perpetrated by a nation state actor, the common sense result would be that the ‘war and terrorism’ exclusions would apply. If ultimately that is not the case, it will be a bitter cyber-pill to swallow for the insurers.
Commentary by Attorney Timothy F. Mills, Editor / Action Cyber Times™ © 2019 All Rights Reserved.
Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.
Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.