What NotPetya Tells Us About Future Potential Cyber Risk Damages
While the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware.
April 21, 2022 at 11:00 AM
9 minute read
On March 21, 2022, President Biden warned the nation that intelligence reports indicated that Russia was exploring cyberattacks against American companies, stating "… one of the tools [Putin is] most likely to use in my view, in our view, is cyberattacks." This escalated threat comes on the heels of the imposition of severe sanctions on Russia as a result of its invasion of Ukraine. This increased risk of potentially devastating cyberattacks occurs amidst an already fraught environment in which ransomware attacks more than doubled in 2021 (see Amiah Taylor, There's a huge surge in hackers holding data for ransom, and experts want everyone to take these steps, (Feb. 17, 2022)) and, after a brief retreat this past January, is back on the rise. As a result, cyber-insurance providers have had to reevaluate how to account for the additional risk posed by cyber-attacks in a war-time setting. It is against this already-complicated background that made the December 2021 decision in Merck & Co., Inc. and International Indemnity v. Ace American Insurance Company, Case No. UNN-L-2682-18 (N.J. Sup. Ct.), by a New Jersey Superior Court notable for its potential consequences to the cyber-insurance market for small to medium-sized American businesses.
Despite the massive increase in cyber-attacks facing American companies over the last five years, the risk of a direct Russian cyber-attack on smaller companies is unlikely. Rather, while the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware. The best known example of this is of course the NotPetya attack. In the summer of 2017, Russia launched a ransomware attack against a Ukrainian tax preparation software company as part of its years-long assault on Ukraine. The attack led to the infection of dozens of Ukrainian companies and institutions, including the National Bank of Ukraine, but almost immediately created global ripples, leading eventually to billions of dollars in damages. Victims included international shipping behemoth Maersk, Mondelez International, and pharmaceutical giant Merck, but also much smaller entities. Regardless of size, these victims found themselves completely locked out of their networked systems, grinding them to an operational standstill. In effect, they had become collateral damage in Russia's cyber-campaign against Ukraine.
In the aftermath of NotPetya, both Mondelez and Merck looked to their insurers to cover costs. Merck sought to invoke its all-risk property insurance policy with Ace American to cover more than $1.4 billion in losses it had sustained. This policy, unlike more focused cyber-insurance policies, contained an industry-standard war exclusion. In pertinent part, the exclusion indicated that the policy did not apply to "Loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power (de jure or de facto) by any authority maintaining or using military, naval or air forces … or by an agent of such government." Ace American relied on this exclusion to disclaim coverage, claiming that NotPetya was "an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine." After lengthy proceedings the court found in December 2021 in an 11-page decision that Merck was indeed entitled to summary judgment on the grounds that the warlike exclusion was inapplicable to the type of attack that Merck had sustained. In rendering its decision, the court relied heavily on contract rules of construction to determine Merck's "reasonable expectations," noting that in the context of all-risk policies, "[e]xclusions 'will be given the interpretation which is most beneficial to the assured" (citing Holiday Inns. v. Aetna Ins. Co., 571 F. Supp. 1463 (SDNY 1983) and Pan American World Airways v. Aetna Casualty & Surety, 368 F. Supp. 109 (SDNY 1973)). The court further stated that, despite the knowledge that cyber-attacks had "become more common," Ace American's failure to change the exclusion's language meant Merck "had every right to anticipate that the exclusion applied only to traditional forms of warfare." The decision, however, did little to address issues of attack attribution, which is likely to be a focal point of future similarly situated cases, thereby failing to provide certainty and instead suggesting that carriers will have to provide carve outs for multiple factual permutations. (The New Jersey Appellate Division granted Ace American's motion for leave to appeal on February 24th).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Kids Online Safety Act Threatens Free Speech and Opens the Door to Political Weaponization
6 minute readNew Cybersecurity Regulations are Here. This Is What You Need to Know.
5 minute readLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250