Examining Silent Cyber Coverage in the Wake of Russia’s Invasion of Ukraine

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of the risk of Russian cyberattacks spilling over onto United States networks as part of the Russian invasion of Ukraine. This follows previous CISA warnings on the risks posed by Russian cyberattacks for critical infrastructure. The European Central Bank (ECB) has similarly warned European financial institutions of the risk of Russian cyberattacks and related market disruptions.

The risk of cyberattacks is forcing businesses and insurers to examine their policies to determine which coverages may apply to losses caused by a cyberattack. The current elevated risk draws into focus the recent decision in Merck and International Indemnity v. ACE (et al.), in which the Superior Court of New Jersey examined coverage under an All-Risk insurance policy for loss arising from the NotPetya malware. NotPetya was allegedly used by Russia in a cyberattack on Ukraine and spilled over into the rest of the world. The Merck court found that the “Hostile/Warlike action” exclusion contained in the subject policy was inapplicable and could not be used to exclude coverage for the loss.

Although the Merck court found coverage for the policyholder for a cyberattack under the non-cyber All-Risk policy, the Merck decision should not be read to support reliance on “silent cyber” coverage to protect companies from elevated risk losses due to cyberattacks.

A cyberattack or data breach event typically involves a third party attacking the computer systems of an individual or company for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing infrastructure; destroying the integrity of the data; and/or stealing controlled information. The productive time lost, and/or the theft or disruption of the company’s controlled information, can cause a direct loss—through business interruption, lost records, reputational damage, and costs to correct and repair the damage done by intruders.

A cyberattack may also subject victim companies to lawsuits from their customers, as well as fines and investigations from state and federal regulatory agencies. Unfortunately, such attacks become more widespread with each passing year.

Specifics of the Merck Case

On June 27, 2017, a major global cyberattack utilizing malware called NotPetya spread through France, Germany, Italy, Poland, the United Kingdom, and the United States. The majority of infections targeted Ukraine, where more than 80 companies were initially attacked, including the National Bank of Ukraine. The U.S. government said the cyberattacks were the work of the Russian military and were part of the “Kremlin’s ongoing effort to destabilize Ukraine [which] demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” Multiple nations were critical of Russia for the spread of NotPetya. Nevertheless, the Russian Federation denied involvement.

One of the companies impacted by NotPetya was the pharmaceutical company Merck. In response to loss suffered, Merck sought coverage under its All-Risk insurance policies. The issuing insurers denied coverage, relying on the “Hostile/Warlike Action” exclusion contained in the policies to argue that NotPetya was an instrument of the Russian Federation and was deployed as part of a broader offensive campaign against Ukraine.

It is important to note that, although the specific language is not quoted in the decision, the policies at issue contained “coverage for damage or loss resulting from destruction or corruption of data and software,” according to the Merck court. The court also noted that the “nature of the coverage” was not in dispute. The parties did not focus on whether the subject policies provided coverage for loss from a cyberattack. Rather, the Merck decision rested squarely on the applicability of the “Hostile/Warlike Action” exclusion.

The Merck court decided that the “reasonable expectations of the insured” prevented the use of the “Hostile/Warlike Action” exclusion. The court specifically reasoned that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts” at issue, and that the “insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks.” Accordingly, the court concluded that the policyholder could anticipate that the exclusion applied only to “traditional forms of warfare” and not to cyberattacks.

Because the court found that the “Hostile/Warlike Action” exclusion did not apply, it did not broach the issue of whether NotPetya was, in fact, a hostile or warlike action from Russia or a proxy on Russia’s behalf. Further, the court, in its decision, did not find whether NotPetya was attributable to the Russian Federation or whether it was implemented as part of ongoing hostilities with Ukraine.

Policyholders should not use the Merck decision as a reason not to buy a cyber-specific policy, in the hopes that they will be protected from loss from an attack by potential “silent cyber” coverage in their existing All-Risk policies.

“Silent” coverage means cyber risks are neither expressly covered nor excluded in a non-cyber policy. As the threat of cyberattacks has grown, and procuring cyber insurance has become more difficult, policyholders have tried to rely on non-cyber policies to cover their cyber-related losses. But such reliance on a policy to provide coverage for a risk nobody anticipated can lead to disputes between the policyholder and insurer if and when a cyberattack occurs. These silent cyber coverage disputes have been before the courts for years, leading to disparate outcomes based on, among other things, applicable state law, subject policy language, and the underlying facts of a claim.

Cyber Loss Coverage Under Non-cyber Policies

The Merck decision will not be broadly supportive for policyholders seeking to trigger coverage for cyber losses on non-cyber policies.

Initially, parties seeking coverage for cyber-related losses from non-cyber policies will typically need to overcome the insurer argument that cyber coverage was not an intended part of the policy’s coverage. For example, courts have precluded coverage for cyber losses on property policies absent resultant physical loss. In Ward v. Employers, 7 Cal. Rptr. 3d 844 (Cal. Ct. App. 2003)., the court reasoned that the policy covered only physical damage to property and that the loss was not physical because the lost information was not tangible. And again in Am. Online v. St. Paul Mercury Ins., 207 F. Supp. 2d 459 (E.D. Va. 2002), it was determined the policy did not cover loss because such lawsuits did not involve “physical damage” to “tangible property.”

In the Merck decision, as noted above, the nature of the policy’s coverage at issue was not in dispute. The court in Merck addressed a dispute about the applicability of an exclusion, not whether cyber-related loss was covered by the subject policy in the first instance. Accordingly, the initial hurdle in a silent cyber dispute was not before the Merck court in the recent decision.

Furthermore, New York is striving to move insurers and policyholders away from reliance on silent cyber coverage. Last year, the New York Department of Financial Services (NYDFS) released a Cyber Insurance Risk Framework, which provides “best practices for managing cyber insurance risk.” Among other things, the framework provides six categories of focus for cyber risk, including a directive to “manage and eliminate exposure to ‘silent’ cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents.”

A final factor in determining the applicability of the Merck decision to cyberattacks today: The current combat involving Russia and Ukraine is substantially different from the hostilities that existed in 2017 at the time of NotPetya. In 2017, unlike today, Russia was not engaged in any traditional forms of physical attack upon Ukraine. The Merck court specifically ruled that the policyholder could not reasonably expect the application of the “Hostile/Warlike Actions” exclusion absent “traditional forms of warfare.”

In 2022, a cyberattack executed along with ongoing traditional forms of warfare might force a court to interpret such an exclusion, and the policyholder’s expectations regarding the exclusion, differently.

Insureds who are concerned about coverage for data breaches and cyberattacks would be well-advised to purchase cyber-specific policies, especially in light of the increased risk of cyberattacks as predicted by CISA and the ECB. Despite the holding in Merck, an effort to seek coverage for a cyber incident under a non-cyber policy—counting on silent cyber coverage for protection—puts too heavy of a reliance on courts to find coverage where none exists through a disfavored method of interpretation.

Eric B. Stern is a partner at Kaufman Dolowich & Voluck and co-deputy chair of the firm’s data privacy & cybersecurity practice group.

From: New York Law Journal