Merck Wins Insurance Lawsuit re NotPetya Attack

The insurance company Ace American has to pay for the losses:

On 6th December 2021, the New Jersey Superior Court granted partial summary judgment (attached) in favour of Merck and International Indemnity, declaring that the War or Hostile Acts exclusion was inapplicable to the dispute.

Merck suffered US$1.4 billion in business interruption losses from the Notpetya cyber attack of 2017 which were claimed against “all risks” property re/insurance policies providing coverage for losses resulting from destruction or corruption of computer data and software.

The parties disputed whether the Notpetya malware which affected Merck’s computers in 2017 was an instrument of the Russian government, so that the War or Hostile Acts exclusion would apply to the loss.

The Court noted that Merck was a sophisticated and knowledgeable party, but there was no indication that the exclusion had been negotiated since it was in standard language. The Court, therefore, applied, under New Jersey law, the doctrine of construction of insurance contracts that gives prevalence to the reasonable expectations of the insured, even in exceptional circumstances when the literal meaning of the policy is plain.

Merck argued that the attack was not “an official state action,” which I’m surprised wasn’t successfully disputed.

Slashdot thread.

Tags: , , , ,

Posted on January 25, 2022 at 9:35 AM17 Comments

Comments

TimH January 25, 2022 10:01 AM

How do you show that it was a “an official state action”? A bit like the Israeli/US attack on Iranian centrifuge controllers, countries don’t admit to illegal acts of war.

John January 25, 2022 10:55 AM

Hmmm….

Exceptions only apply to large amounts!

My son was murdered. Insurance only paid 50%.

Businesss as usual.

John

Clive Robinson January 25, 2022 11:09 AM

@ Bruce,

Merck argued that the attack was not “an official state action,” which I’m surprised wasn’t successfully disputed.

I’m not.

As I say from time to time “show the court admissable evidence?”

I know civil court proceadings have lamentable evedentiary standards, but…

It is argued that NotPetya was used against the Ukraine, as part of Russian attacks. But was it the Russia state? Probably not evidence at the time suggested it was “criminal Ransomware” that had bern “improved” but by whom? And why?

No one has yet provided actual evidence, just at best “association” claims that have not been substantiated.

Also somwthing everyone tends to forget is that NotPetya spread back to Russia, striking the state oil company Rosneft and similar quite hard.

Most state level agencies/actors usually take quite a bit of care not to “shoot themselves in the foot”.

The fall out from that, with regards malware comming from Russia was the criminals started putting detection methods in to ensure they were not attacking Russian computers.

Suggesting that Putin “put the word out” to those criminals acting under the protection of Russian Law.

And that’s the problem… The reality is that the software was not as far as we know to any evedentiary level, made by the Russian state, aquired by the Russian state or deployed by the Russian state. In fact evidence suggests it was a criminal gang “joining in the fun” or as a “favour”.

Yes the UK and US “attributed” it to Russia, but evidence was not forthcoming… In fact they appeared to be simply following a suggestion from the Ukraine,

https://www.bbc.com/news/technology-40442578

The important thing to note, is that much was made of the fact that rather than encrypt files it simply wiped the Master File Table. Thus it was a “wiper to destroy data” rather than “ransomware for money”. But wiping the MFT infact leaves the data intact and could with a little knowledge be recovered. But also milage was made on the fact it was FiveEyes malware” that was being used that had “escaped from the NSA”. So both the UK and US Governments were keen to distance themselves in any which way they could.

Then a year later,

“NotPetya malware attack: Chaos but not cyber warfare”

Was the effective finding of global cyber insurance and risk-management firm Marsh. In a the report they published thay indicated, that

“NotPetya doesn’t meet the requirements to be classed as cyber warfare because the main impacts were only economic, focused on civilian infrastructure and that the goal of the attack wasn’t ‘coercion or conquest’.”

https://www.marsh.com/us/insights/research/notpetya-was-not-cyber-war.html

So not something that is going to get argued to well in court even for 1.4billion…

Anders January 25, 2022 12:12 PM

@Clive

Media news is one thing.
Official indictment a whole another thing.

hxxps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and

They probably have evidents we just don’t know.
However in Russia high level cybercriminals often works for
the government and at the same time hackers from those three-letter
agencies there do moonlighting jobs for cybercriminal world.
So everything is tied and mixed.

Ted January 25, 2022 12:13 PM

Yes, I do not think the line of reasoning that it was not “an official state action” did much to win the case.

The recent ruling restated Ace’s position that the evidence overwhelming demonstrated that NotPetya was an instrument of the Russian Government, and no other fact finder could have proven otherwise.

However the ruling also concluded: “Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks.”

Ouch for Ace. That sound you hear is all the insurers madly updating all their contract language. And perhaps you can hear Merck’s management team fainting into their chairs from relief.

Ted January 25, 2022 12:15 PM

Also, I thought it was funny that someone wondered what the hourly rate for the lawyers was. I bet it was substantial, but could that have influenced the ruling? I don’t know much about this, but I wonder if the case will set any kind of precedent if future contract language is deemed ambiguous?

Andy January 25, 2022 2:00 PM

@Anders: “Official indictment” is just an allegation by a prosecutor, a federal one this time. Not until proven in a court of law should it lead to a conviction.

Dorothea January 25, 2022 5:02 PM

@ Clive,

As I say from time to time “show the court admissable evidence?”
I know civil court proceadings have lamentable evedentiary standards, but…

The only part I’m surprised at is that this was done on summary judgement, which, as I understand, means the evidence was so weak and/or irrelevant that there wasn’t even a reason to hold a trial to consider it.

Clive Robinson January 25, 2022 7:26 PM

@ Dorothea, ALL,

The only part I’m surprised at is that this was done on summary judgement, which, as I understand, means the evidence was so weak and/or irrelevant that there wasn’t even a reason to hold a trial to consider it.

It’s a bit more complicated than that. A sumary judgment can be called for at any time during a proceeding often during the early stages when something becomes apparent that was not previously clear or considered by either party.

In this case it appears the judge decided that as the issuing agency had not changed the terms and conditions in the policy. Then they could not subsequently claim they ment something else when faced with a claim.

The question now as 1.4billion is on the line, is are the policy issuers going to be able to find grounds to appeal.

To things are almost certain,

1, That scratching noise you hear is lawyers rewriting policy terms that have been used for nearly a century.

2, With 1.4billion at stake on this case and potentially more on others, the lawyers of both sides will be burning the midnight oil for days to come.

In the past I’ve mentioned I thought cyber security insurance issued would be bad news, but for a different reason (though it could yet come to apply).

Ordinary “physical risks” like fire or burst pipe tend to be random in nature at the individual level, however they quickly “average out” so risk can be reasonably calculated over time.

Cyber attacks however are not in anyway random that averages over time in human terms. A bad news worm will hit thousands at the same time, not over a long period of time of weeks, months or decades.

The way insurance works traditionaly they are not set up for this kind of “break the bank” risk…

SpaceLifeForm January 25, 2022 7:38 PM

@ Dorothea

It was partial summary judgement.

It is not over yet.

But I think Ace will fold their hand.

Anders January 26, 2022 6:35 AM

@Andy

Thet’s not important. Important here is that they reached to
specific names. That’s impressive. If they disclosure those
exact names, they have also a proof. Solid proof.

Clive Robinson January 26, 2022 10:19 AM

@ Anders, Andy, ALL,

That’s impressive. If they disclosure those exact names, they have also a proof. Solid proof.

Nope… That’s not how the game is being played…

All the prosecution has done is pulled some names out of a hat and gone with those.

The reaaon is they don’t care because they can have the court case with out them, as they are not in attendence they get found guilty in abstentia.

The prosecution then uses those fake convictions to get sanction and sequestration orders…

That is what the game is because they assume the defendants will be “no shows” so they can say anything and produce any old crap for court knowing it wilk not be challenged…

Only they tried it on with some oligarchs and wete shocked to find an army of well paid US lawyers turn up for the defence. Things got challenged and it all got quite strained. The last I heard the prosecution had been stopped. So I don’t know what the outcome will be.

But as I said these indictments are mostly at best basically evidence less assumptions dressed up to look like something thay are not. So if get challenged the chances are they will be withdrawn because they are not admissable or because of “methods and sources”. Add to that the defendants right to openly cross examine their accusers etc in court, not by video link etc but in court on the day…

Which makes any prosecution witness vulnerable.

The prosecuters might be able to push a cart load of ranxid old baloney past a grand jury, but an actual defended court case… Unlikely at best.

Rhe point is it’s a game of steping stones and the US prosecution assume things will go undefended then they can move to grabing assets and pushing sanctions.

It realy is a silly game to play, because Russia could play it to, and under their legislation they reserve the right to send out executioners into foreign jurisdictions. Something the US public realy wouls get upset about.

The US has been doing some realy stupid tbings legaly since the end of the Second World War by making it for political reasons. So other nations have passed legislation as a response and sooner rather than later some one will act on it, and that’s when things get unpleasent.

Remember due to the OPM data breach more than one foreign nation has a pretty good list not just of US persones given clearences but where they work and where they live and their nearest and dearest…

pup vas January 28, 2022 1:55 PM

Tag – insurance
Major legal changes needed for driverless car era
https://www.bbc.com/news/technology-60126014

=Human drivers should not be legally accountable for road safety in the era of autonomous cars, a report says.

In these cars, the driver should be redefined as a “user-in-charge”, with very different legal responsibilities, according to the law commissions for England and Wales, and Scotland.

If anything goes wrong, the company behind the driving system would be responsible, rather than the driver.

And a new regime should define whether a vehicle qualifies as self-driving.

In the interim, carmakers must be extremely clear about the difference between self-drive and driver-assist features.

There should be no sliding scale of driverless capabilities – a car is either autonomous or not.
And if any sort of monitoring is required – in extreme weather conditions, for example – it should not be considered autonomous and current driving rules should apply.=
More interesting details in the article.

someone January 30, 2022 10:14 AM

Reading the actual decision will imo resolve many of these questions (including the court’s rationale for summary judgement), and should be much more efficient than partially informed debate here could ever be. The decision in Merck v. Ace American is available here in full:
hxxps://www.documentcloud.org/documents/21183337-merck-v-ace-american
My conclusion after reading the judgement is that it was based on what Merck could reasonable expect the policy exclusion to cover (a process known as “construction”), not on whether or not the Petya attack can properly be construed as an “act of war” in an absolute sense. Part of the court’s reasoning was based on the fact that the language of the policy exclusion had not changed in many years, and largely predated cyber attacks.

someone January 30, 2022 10:29 AM

@pupvas re: insurance – The result of those findings will be that all automakers will stipulate by legal agreement that their vehicle is not truly autonomous, although marketing materials will be designed to convey the impression that it is. Caveat emptor. That’s fine with me; I am very skeptical about absolving a single human in a vehicle of operator responsibilities and accountabilty under any circumstances. I suspect the timing for releasing those findings might have been prompted by the recent decision in the case where a Tesla driver was held responsible for a fatal accident in which he failed to observe a stop sign while using a driver assistance feature, and broadsided another vehicle, resulting in fatalities. Interestingly, that driver was employing driver assistance software that was only capable of cruise control and lane maintenance functions; there was nothing that implied that the software could stop the vehicle in response to traffic signals or road hazards. In that case, there can be no questioning the accountability of the driver.

Clive Robinson February 2, 2022 11:41 AM

@ ResearcherZero,

Any evidence is a state secret.

Which is the making of a punch line of a political joke (of whom we have to many in power currently).

But seriously though,

1, Whilst “secret evidence” may be a “secret”.
2, It is not “evidence” in the expected manner of a court proceading…

If the US want to play stupid games, then they ought not sully the name of their legal system whilst doing so…

There is a reason over a thousand years ago why evidence had to be presented infront of a “tribunal of peers”, and independent adudicator. That reason has not become any the less in that time, in fact rather more.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.