RUSSIAN WARFARE: NEW JERSEY COURT HOLDS RUSSIAN-SPONSORED CYBERATTACK NOTPETYA IS NOT PART OF WAR EXCLUSION FOR ALL-RISK INSURANCE POLICY, AND ILLINOIS MIGHT SOON FOLLOW

By: Caleb Johnson, Volume 106 Staff Member

On December 6th, 2021, a New Jersey Superior Court announced in Merck & Co., Inc. v. Ace American Insurance Company that insurance companies could not use a hostilities/war exclusion to deny coverage to biopharmaceutical company Merck’s claim after falling victim to the NotPetya cyberattack.[1] The court focused its holding on the intent of the parties at the time of signing the insurance contract and found that cyberattacks were not part of that intended war exclusion clause.[2] Merck gets it right because this a contract dispute and not an analysis of the evolving state of modern warfare. The decision is likely to reinforce the desire to quickly amend all-risk insurance policies before Russia successfully launches another cyberattack.

War exclusions are a “staple” in insurance policies.[3] They are based on the idea that property damage from war is expensive, and rather than causing insurance companies to go bankrupt by paying all the claims, these otherwise all-encompassing insurance policies can have a carve-out.[4] The exclusion clauses at issue in Merck generally stated that the all-risk policy would not insure against: “Loss or damage caused by hostile or warlike action in time of peace or war . . . by any government or sovereign power . . . or by an agent of such government.”[5] The reason the insurance companies attempted to invoke the war exclusion in this case is because NotPetya was specifically supported by a foreign nation rather than a random nefarious group.[6]

The United States has charged six Russian intelligence officers with causing the NotPetya incident.[7] Sandworm, a Russian state-backed group, launched NotPetya in 2017 as a cyberattack intended to impact Ukraine’s financial system.[8] Almost out of Jurassic Park, Sandworm made NotPetya too good and the malware broke out into computers everywhere, including Merck, causing more than $10 billion in damage.[9]

The court in Merck went through an extensive review of the caselaw around war exclusions, dating back to the 1920s.[10] The court found that no decision had previously applied war exclusions to anything “remotely close” to a cyberattack.[11] Due to the lack of historical cases around cyberattacks and the extended length of time the exact same language was at use in the war exclusion clause, the court held that cyberattacks should not be in the war exclusion and Merck should recover.[12]

While not precedential in this case, the U.S. Department of Defense (DoD) has written about whether cyberattacks are considered acts of war. The DoD Law of War Manual states that “[s]pecific law of war rules may apply to cyber operations, even though those rules were developed before cyber operations were possible . . . . The law of war affirmatively anticipates technological innovation and contemplates that its existing rules will apply to such innovation, including cyber operations.”[13] DoD takes a proactive approach to include cyberspace in tactical, ethical, and political calculations for military operations. By DoD standards, there are situations where an incident in cyberspace could be an attack under the Law of War, but not every incident rises to that level.[14]

While the court in Merck held that the plaintiff was entitled to believing only “traditional”[15] forms of warfare were excluded from coverage, the DoD has already been incorporating cyberwarfare into their understanding of war. Admittedly, DoD published the updated Law of War Manual (2016) only a short time before NotPetya appeared (2017).[16] At some point in the near future, cyberwarfare will likely be seen as a traditional—and strategically crucial—part of war. If insurance companies make even minimal efforts to change their war exclusion language, then future cyberattacks by state actors will likely fall within those war exclusions.

Also arising from the NotPetya incident is a pending case in Illinois, Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co.[17] The war exclusion at issue in Mondelēz reads very similarly to the one in Merck.[18] However, Mondelēz is slightly more nuanced because the insurance contract expressly covered specific forms of “malicious cyber damage.”[19] The court may not need to discuss whether the war exclusion applies to the cyberattack to find coverage for food conglomerate Mondelēz International because of the potential ambiguity in the contract having a broad war exclusion that Zurich claims includes cyberattacks while also having a provision expressly covering malicious cyber damages that Zurich does not address.[20] Even if the court looks to the war exclusion, the presence of a separate clause on cyber damages may inform the analysis that cyberwarfare should not be excluded from insurance coverage based on the intent of the parties.

Overall, Merck gets it right because, while this dispute is related to acts of war, it is at its core a contract dispute. The Department of Defense might get the luxury of growing with the times and folding in new ideas without always needing addendums. But unless insurance contracts begin specifically allowing for a definition of warfare that can intentionally change and grow with the times, every time there is a new battlefield there will need to be updated contract language. The Mondelēz case will likely move forward this calendar year with an outcome similar to Merck, allowing the plaintiff to recover their insurance claim.[21] These two cases, from separate states, will likely lead to a slurry of attempted amendments to insurance contracts. At least one court found that cyberwarfare is not included in war exclusions and another is likely to allow coverage for NotPetya damages. These amendments may come either in specifying that war exclusions cover cyberwarfare or specifying that a malicious cyber damage clause does not include state-sanctioned attacks.

On February 24, 2022, Russia invaded Ukraine and around the same time launched the cyberattack “FoxBlade.”[22] The general consensus as of early March is that FoxBlade and other Russian cyberattacks[23] do not yet reach the potential technologically devastating levels of NotPetya.[24] That does not mean that another cyberattack is not coming sooner or later from Russia, or another country, that could again massively impact businesses. If insurance providers have not been able to update their all-risk insurance policy language since NotPetya, then it’s likely that the insured companies will be able to recover large amounts under their insurance policies even if there’s an exclusion for war.

 

[1] Merck & Co., Inc. v. Ace Am. Ins. Co., No. UNN-L-002682-18 (N.J. Super. Ct. Law Div. Aug. 2, 2018) [hereinafter Order]; About Our Company, Merck, https://www.merck.com/company-overview [https://perma.cc/UM3U-QJMT]; see, e.g., Catalin Cimpanu, Merck Wins Cyber-Insurance Lawsuit Related to NotPetya Attack, The Record (Jan. 21, 2022), https://therecord.media/merck-wins-cyber-insurance-lawsuit-related-to-notpetya-attack [https://perma.cc/MUJ8-LKUS].

[2] Order at 9–11.

[3] Thomas D. Hunt, The Internet of Buildings: Insurance of Cyber Risks for Commercial Real Estate, 71 Okla. L. Rev.397, 415 (2019).

[4] Sidney I. Simon, The Dilemma of War and Military Exclusion Clauses in Insurance Contracts, 19 Am. Bus. L.J. 31, 31 (1981).

[5] Order at 3.

[6] Ellen Nakashima, Russian Military Was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes, Wash. Post (Jan. 12 2018), https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html [https://perma.cc/3EQF-2WW4].

[7] Zach Whittaker, US Charges Russian Hackers Blamed for Ukraine Power Outages and the NotPetya Ransomware Attack, TechCrunch (Oct. 19, 2020), https://techcrunch.com/2020/10/19/justice-department-russian-hackers-notpetya-ukraine [https://perma.cc/9NN9-TU65].

[8] Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, WIRED (Aug. 22, 2018), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world [https://perma.cc/GKB7-XR9U].

[9] Id.

[10] Order at 9.

[11] Id. at 10.

[12] Id. (“The evidence suggests that the language used in these policies has been virtually the same for many years . . . . Despite [increasing commonness of cyberattacks], Insurers did nothing to change the language of the exemption to reasonably put this insured on notice.”).

[13] U.S. Dep’t of Def. Law of War Manual §§ 16.2–16.2.1 (2016).

[14] Id. § 16.

[15] Order at 11.

[16] U.S. Dep’t of Def. Law of War Manual (2016); Whittaker, supra note 7 (describing the 2017 attack).

[17] Docket, Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018).

[18] Complaint ¶ 13, Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018) [hereinafter Mondelēz Complaint] (“This Policy excludes loss or damage . . . caused by or resulting from . . . hostile or warlike action in time of peace or war . . . by any: government or sovereign power . . . or agent or authority of any party specified.”).

[19] Id. ¶ 7–8; see also Angad Chopra, Note, Cyberattack – Intangible Damages in a Virtual World: Property Insurance Companies Declare War on Cyber-Attack Insurance Claims, 82 Ohio St. L.J. 121, 143–46 (2021) (describing the contract provisions at issue in Mondelēz).

[20] Id. at 146–48.

[21] See Docket, Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018); Chopra, supra note 19, at 147–48 (predicting a favorable outcome for plaintiffs in Mondelēz).

[22] David E. Sanger, Julian E. Barnes & Kate Conger, As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War., N.Y. Times, (Feb. 28, 2022), https://www-nytimes-com.cdn.ampproject.org/c/s/www.nytimes.com/2022/02/28/us/politics/ukraine-russia-microsoft.amp.html [https://perma.cc/HX6G-VZVJ] (describing how Microsoft has assisted in cyberdefense and named the new Russian malware “FoxBlade” in the process).

[23] Daryna Antoniuk, DDoS Attacks Hit Ukrainian Government Websites, The Record (Feb. 15, 2022), https://therecord.media/ddos-attacks-hit-websites-of-ukraines-state-banks-defense-ministry-and-armed-forces [https://perma.cc/X9RM-CRQC] (describing the government websites that were targeted even before the February 24 invasion).

[24] Josephine Wolff, Why Russia Hasn’t Launched Major Cyber Attacks Since the Invasion of Ukraine, Time (Mar. 2, 2022), https://time.com/6153902/russia-major-cyber-attacks-invasion-ukraine [https://perma.cc/5ZE8-DGEJ] (hypothesizing that the combined efforts of countries and companies to ramp up cyber defenses have helped curb the damage so far).