Epic Insurance Q: When Is A Cyber Attack An Act Of War?

A 2017 cyber attack at drug maker Merck was said to have crippled more than 30,000 computers and 7,500 servers, and brought at least one manufacturing facility to a complete halt. As reported originally by Bloomberg News, Western intelligence agencies have said the culprit in this case was the computer virus called NotPetya, launched by Russian military intelligence, and the real targets were various agencies and industrial facilities in Ukraine. Merck’s problems, apparently, were therefore collateral damage stemming from the fact it had a Ukraine office. In seeking insurance coverage, Merck claims $1.3 billion in losses, and some carriers have settled. But others, including Allianz and units of Chubb Ltd, have not, and major litigation is now in progress in a New Jersey courtroom. Property policies, not cyber policies, are at issue, with the carriers arguing there is no coverage because of an exclusion for hostile warlike acts or acts of terrorism. But Merck, in what could be an important test case for the insurance industry, wants to call this a cyber event. This case is said to highlight the fact that the insurance industry’s exposure to cyber events is “almost incalculably hard to grasp.” Its major problem, however, is not cyber policies. According to the National Association of Insurance Commissioners, they accounted for $3.6 billion in premiums in 2018. The corresponding number for property policies is said to be $621 billion.