A legal definition of cyberwar and its relationship with kinetic war has been avoided by a settlement between Merck and its insurers over damage caused by NotPetya.
Merck had lodged an insurance claim for $1.4 billion for damage caused by the NotPetya malware attack in 2017. Merck did not have cyberinsurance but made a claim under its ‘all-risks’ coverage.
NotPetya was attributed to Russia as part of an effort to attack Ukraine. For most people, this was an act of cyberwar against Ukraine. Its effect spread around the globe, causing billions of dollars of further damage in what, on the surface, appears to be collateral damage emanating from an act of cyberwar.
This basic stance was adopted by the insurers over Merck’s claim. Merck did not have cyber insurance, and the damage was excluded by the standard war exclusion clause. But a legal definition of cyberwar is a tricky problem, and is discussed by SecurityWeek in What is Cyberwar?
In January 2022, New Jersey Superior Court Judge Thomas J. Walsh found in favor of Merck. He said the war exclusion clause ‘does not apply’, and that “Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
The insurers appealed — but in May 2023, the New Jersey appellate clause upheld the original decision, saying that the NotPetya attack “is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.” The court specifically declined to discuss the relationship between cyberattacks and warlike exclusions: “Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”
The insurers appealed again but have now settled with Merck. Merck can be considered to have won the argument although details of the settlement have not been disclosed.
Bloomberg Law comments, “Pharmaceutical giant Merck & Co. Inc. struck an 11th-hour settlement with insurers Wednesday, evading a New Jersey Supreme Court review of its massive cyberattack insurance dispute on the eve of an oral argument that could have set a national precedent impacting the booming cyber insurance market.”
We have learned more about what fails the cyberwar legal litmus test, but are no closer to a legal definition of cyberwar.
Related: Zurich Rejects Mondelez’ $100 Million NotPetya Insurance Claim Citing ‘Act of War’
Related: Malware Attack Disrupts Merck’s Worldwide Operations
Related: Petya/NotPetya: What We Know in the First 24 Hours
Related: Lloyd’s of London Introduces New War Exclusion Insurance Clauses
