Merck’s settlement last week over its $1.4 billion claim tied to a 2017 Russian-linked “NotPetya” cyberattack leaves a major question in cybersecurity and international law anything but settled – can a “cyberattack” ever be considered an “attack” under the international laws of war? The insurance dispute is hardly the first time cybersecurity has been linked to nation-state security – as far back as 2014, China’s now President Xi Jinping declared that “without cybersecurity there is no national security” – but how did a major pharmaceutical chain’s insurance claim become a potential battleground for litigating the definition of war in the 21st century?
In 2017, Merck became one of the many multinational second-hand casualties of the NotPetya malware attack launched by Russia’s notorious Sandworm hacking group targeting Ukraine’s power grid and institutions. After downloading infected software, about 40,000 machines in Merck’s network were infected, causing massive disruptions in sales, manufacturing, research, and development. Though Merck didn’t have a cyberinsurance policy at the time, its attempted claims under more generalized “all-risk” policies kicked off years of litigation over the boundaries of war in the evolving cyberage.
Even before exceptions for a “global pandemic” became popular in boilerplate contractual clauses following the COVID-19 pandemic, many insurers already included “hostile/warlike action” and other standard war exclusion clauses, releasing them from claim coverage liability for damages arising out of acts of war committed by nation-states. Leveraging such generalized language, a group of insurance companies sought to avoid covering Merck’s roughly $1.4 billion in losses stemming from the 2017 attack, but a New Jersey judge ruled in 2022 that Merck was entitled to roughly $700 million in claims still under dispute, finding such clauses only apply to armed conflicts and “traditional forms of warfare.” While some criticized the decision, it was upheld in 2023 by the New Jersey appellate court, agreeing that the insurers’ exclusions required “the involvement of military action” and did not preclude coverage for damages caused by government action shy of that military threshold, even if “motivated by ill will.”
While a final New Jersey Supreme Court decision on the question was narrowly averted by last week’s last-minute settlement, the lower courts’ interpretations of “military action” and “acts of war” may be out of step with the evolving global understanding of war in the digital age. The international community, as outlined in the Tallinn Manual, an authoritative document on the evolving law of cybersecurity and cyberwar, has agreed that a cyber operation may be deemed a use of force under international law if it has the same scale and effects of a traditional military attack. This includes when a cyber operation results in property damage akin to that which would be considered a use of force if produced by kinetic weapons. For example, the 2009 NSA-run Stuxnet malware infection of Iranian nuclear plants, which caused nuclear centrifuges to accelerate until they self-destructed, would be considered an act of war under this definition because the ultimate result, destruction of nuclear centrifuges inside Iran, is of the same scale and effect as a traditional kinetic strike on a nuclear facility, regardless of the fact that the result was brought about not by bombs, but by computer code. Under this standard, most people have considered at least the direct NotPetya attack on Ukraine to amount to an act of war, but little international attention has been paid to the collateral damages from the attack, including those sustained by Merck. Upon consideration by the New Jersey courts, the focus seemed to be less on the internationally recognized “effects-based” test and more on a “means-based” test informed by legal precedent in the insurance industry construing policy exclusions narrowly.
Of course, U.S courts are not bound by more global academic understandings of cyberattacks and cyberwar. Still, absent even reaching a ruling by the New Jersey Supreme Court, the question of where the limits of hostile/war-like actions clauses lie remains, at least for now, essentially without guiding precedent in U.S. courts. Yet health care companies remain attractive targets for cyberattacks. And while most of the focus in the U.S. has been on ransomware attacks by non-state actors motivated by financial incentives, the industry is also an attractive target for nation-states hoping to cause serious harm to civilians and civilian infrastructure. Such direct attacks would be unquestionably escalatory, and if Merck or another major player in the U.S. health care system had been directly targeted in a way that led to physical injuries or loss of life, it’s hard to imagine the New Jersey court ruling the same way – that the cyberattack did not amount to hostile or warlike action merely because it did not fit the image of “traditional forms of warfare.”
Absent such extreme circumstances, courts across the U.S. may come to contradictory decisions on what cyber acts fall within and outside the scope of hostile and war-like action exceptions. Until the question arises again, and even then, as similar future claims play out in different jurisdictions, the near-term practical impact of Merck’s insurance battle is that businesses and their insurers will now be arguing over far more exact contractual language accounting for cyberattacks in their general risk policies as insurers push for clearer cybersecurity exclusions, though of course businesses would be best covered by retaining independent cyberinsurance policies. Even those policies, however, will likely have underwriters paying close attention that they do not contemplate coverage for nation-state-linked cyberattacks unambiguously in the furtherance of a broader military conflict or with the intent to cause warlike consequences. For example, Lloyd’s of London, the British insurance marketplace, released four new cyberwar and cyber operation exclusion clauses in 2022, explicitly broadening for policies covering cyberattacks the claim coverage exclusions for state-backed attacks and for losses arising from war, declared or not. Considering the ongoing conflicts in Ukraine and the Middle East and the specter of potentially financially catastrophic cyberattacks associated with global conflicts today, the recent settlement likely will not do anything to draw focus away from reassessing cyber risk insurance and war exclusion policy language on both sides, potentially even spurring an entirely new market for cyberinsurance coverage specifically linked to nation-state actions.