Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Courts

Merck Wins Cyber-insurance Lawsuit Related To NotPetya Attack (therecord.media) 20

A New Jersey court has ruled in favor of Merck in a lawsuit the pharmaceutical company filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack. From a report: The NotPetya incident, which took place in June 2017 and impacted thousands of companies all over the world, destroyed data on more than 40,000 Merck computers and took the company months to recover. Merck estimated the damage at $1.4 billion, a loss caused by production outage, costs to hire IT experts, and costs of buying new equipment to replace all affected systems. At the time, the company had a $1.75 billion "all-risk" insurance policy, which included coverage for software-related data loss events. However, Ace American refused to cover the losses, citing that the NotPetya attack was part of Russian hostilities against Ukraine and, as a result, was subject to the standard "Acts of War" exclusion clause that is present in most insurance contracts. Merck sued Ace American in November 2019 and argued in court that the attack was not "an official state action," hence the Acts of War clause should not apply.
This discussion has been archived. No new comments can be posted.

Merck Wins Cyber-insurance Lawsuit Related To NotPetya Attack

Comments Filter:
  • Very interesting, with more and conflicts being "undeclared wars", I wonder it will do to the insurance landscape.
    • Re:Acts of War (Score:4, Informative)

      by fahrbot-bot ( 874524 ) on Friday January 21, 2022 @04:51PM (#62195791)

      Very interesting, with more and conflicts being "undeclared wars", I wonder it will do to the insurance landscape.

      In this case, it's causing insurance companies to update their clauses. Ace American could have, but didn't. From TFA:

      Merck’s lawyers said that the exclusion clause contained language that limited the Acts of War to official government agencies and did not specifically mention cyber-related events; and, as a result, the clause should not apply to their customer.

      In a ruling last month, spotted by Lexology, the New Jersey Superior Court has sided with Merck and its strict interpretation of the Acts of War clause.

      “Given the plain meaning of the language in the exclusion, together with the foregoing examination of the applicable caselaw, the court unhesitatingly finds that the exclusion does not apply,” Judge Thomas J. Walsh wrote in an opinion justifying the ruling.

      The judge argued that despite knowing that cyber-attacks can be acts of war, Ace American also did not move to update the language in its exclusion clauses.

      “Certainly they had the ability to do so,” Judge Walsh said about Ace American. “Having failed to change the policy language, Merck had every right to anticipate that the exclusion policy applied only to traditional forms of warfare.”

      The case, while not a matter of mainstream news, has had a huge impact on the insurance business, and several insurers in recent years have moved to update the language of their Acts of War exclusion clauses, with the latest being Lloyd’s, which updated its language just days before the court’s ruling.

      • But then going forward, cybersecurity insurance will be meaningless if any attack could be considered as "act of war", once you have that language included in the contract. Because insurance company could almost always find a foreign link in any cyber attack or ransomware attach and claim its act of war.
        • The ruling here specifically picks a part the contract failing to outline cyber attacks as acts of war and this the using the clause has no basis.

          The case would be different if the language was included and likely a more difficult ruling but it doesn't mean it would be in favor of the insurance company. We would have to wait and see.

        • by Corbets ( 169101 )

          Presumably, we’ll stop buying coverage as it comes meaningless, and the insurers will adapt, and the game will continue.

  • pissing contest between the companies IT/Execs covering themselves for failure and the insurance companies IT/Execs trying to cover themselves from the potential huge loses incurred because their customers IT/Execs mishandled their own internal IT security.
    I can see really invasive/costly insurance company IT security audits coming soon to all business near you.
    • It is about time that baselines became a requirement for cheaper insurance in order to incentivise decent IT security, Insurance should be cheaper for independently pentested businesses which align to decent security baselines. Then, if businesses get owned, an investigation can determine if they were actually doing as claimed.
    • by jmccue ( 834797 )

      And it may even get worse. I wonder if people with insurance policies like for Cars and Homes could be effected due to the rush of these companies to update policies.

      For example, self driving Autos. What if a "cyber" attack occurs that breaks these autos, will all damages need to be covered by the owner if someone is injured or killed ? Or a house burns down due to an IOT being attacked ?

      • "For example, self driving Autos." Bingo! but no problem! All the car makers, ride companies and their insurers will blame the occupant. So everyone will be required to carry self-driving taxi insurance just in case they ever use a self driving taxi service. Maybe government required riders on individuals home/rental insurance policies.
  • by bustinbrains ( 6800166 ) on Friday January 21, 2022 @04:09PM (#62195659)

    Litigation takes forever to resolve because when one party doesn't like the outcome, they tend to appeal if only to slow down the entire process. When a case is held up on appeal, it can take months for the appellate court to even get around to deciding whether or not they wish to hear the appeal in the first place.

  • by Miles_O'Toole ( 5152533 ) on Friday January 21, 2022 @04:27PM (#62195699)

    This is like watching a fight between a wife beater and a child molester. No matter who loses, you can't be happy there's a winner.

  • Ace American refused to cover the losses, ...

    An insurance company tried to weasel out of paying a claim? /sarcasm

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...