War or Cost of Doing Business? Cyber Insurers Hashing Out Exclusions

Following a settlement over Mercks $700 million claims over NotPetya damages, questions remain about what constitutes an act of war for cyber-insurance policies.

Drugmaker Mercks long legal battle with its insurance companies over the damages caused to its business by the NotPetya wiper worm ended last week when the company settled with a bevy of insurance companies that had refused to pay $699 million of the $1.4 billion in claimed damages, citing hostile/warlike act exclusion clauses.
Merck has remained mum on the details of the settlement — and did not return a request for comment — but the
reported settlement
will likely have less impact than the lawsuits long road through the courts, which included two rulings for the drugmaker, cyber-insurance industry experts say. Already, cyber-insurance firms have clarified the act-of-war clauses in their policies, a task mandated by large insurance firms such as Lloyds.
The sticking point is whether damaging cyberattacks by state-sponsored actors constitute an exclusion in a particular policy, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.
Theres a lot of variation in language and attribution can be challenging, he says. Theres attacks that happen frequently from entities around the world that are connected in some way to government, but those attacks are rarely attributed to ... an official act of war.
With geopolitical conflicts expanding around the globe, and cyber operations a common tactic in many nations arsenals, more companies are looking to mitigate risks from damaging cyberattacks, no matter whether the attacker is a nations military or an independent cybercriminal group. The resolution of Merck lawsuit sounds a note of hope for businesses and large industry organizations — from the National Association of Manufacturers to the Restaurant Law Foundation — which
argued in support of Mercks lawsuit
.
Mercks lawsuit stemmed from
the NotPetya attack
that hit companies and organizations worldwide in June 2017, wiping hard drives, disrupting operations, and causing significant business losses. For Merck,
the attack was devastating
, shutting down research, sales and manufacturing — in some cases, for weeks — with damages reaching a claimed $1.4 billion. Some insurers, however,
refused to pay for the damages
, claiming that the widespread attack fell under the act-of-war clauses common in insurance policies, and in particular, Mercks property-insurance policy, under which it made the claim.
Even after a widespread effort by the insurance industry to clarify those exclusions, companies should take care and ensure that they are getting the coverage that they need, says Alla Valente, a senior analyst with Forrester Research.
Its really important that all organizations read the fine print — those terms, those conditions — but also what the exclusions look like, because the policy might pay for certain types of cyberattacks, but not others, she says. Or, they might pay for cyberattacks, as long as youre maintaining a certain level of security best practices.
In the latest milestone in the saga, the insurance companies settled with Merck right before the drug company and its insurers were due to argue their cases before the New Jersey Supreme Court. Merck had already won favorable rulings during an initial trial, with the court unhesitatingly ruling against the insurance companies and their attempted use of the hostile/warlike action exclusion. The appellate court later affirmed that decision,
according to its May 2023 ruling
.
Coverage could only be excluded here if we stretched the meaning of hostile to its outer limit in an attempt to apply it to a cyberattack on a non-combatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective, the ruling stated. But that approach would conflict with our basic construction principles requiring a court to narrowly construe an insurance policy exclusion.
While insurance companies likely avoided a third loss by settling, the insurance industry had already embarked on clarifying exclusions to broad outbreaks of cyberattacks. In August 2022, insurance giant Lloyds
issued requirements
for its underwriters for state-backed cyberattack exclusions to minimize catastrophic losses to the cyber-insurance industry.
[W]hen writing cyber-attack risks, underwriters need to take account of the possibility that state backed attacks may occur outside of a war involving physical force, Lloyds stated in
its 2022 Market Bulletin on state-backed cyberattack risks
. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.
Following the settlement, its even more important that companies are clear as to what damages they want to be covered by their cyber insurance. In particular, they should specifically determine when any cyberattack could be classified as a hostile/warlike act that would be excluded from coverage, says Theresa Le, chief claims officer with Cowbell, an insurance company focused on using data and machine learning to adapt to the market.
Part of this discussion should include whether the war exclusion wording is acceptable to the client. As a leading cyber insurance provider, we understand the need for the market to manage its exposure to systemic and catastrophic risk, she says. Our team believes that clarity of intent is vital to the long-term sustainability and adoption of cyber insurance.
Yet companies should also realize that having to make an insurance claim is a poor substitute from blunting the attack in the first place, says Coalitions Ram.
Theres a reason why cyber is different — different than property, most notably property-related catastrophic events, he says. Unlike an earthquake, unlike a hurricane, the policyholder has the ability to interdict, right? You can update your software, you can patch, you can put it behind a VPN — theres lots of ways lots of things that you can do to mitigate against a large-scale event.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
War or Cost of Doing Business? Cyber Insurers Hashing Out Exclusions