back to article Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout

Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled. A New Jersey appellate court this week upheld [PDF] an earlier decision that a group of insurers could not use the war exclusion in their insurance policies — despite the …

  1. Notas Badoff

    Over there, over here

    Russia invades Ukraine. Grain exports get bottled up. Some regions need those imports to feed their people. Starvation ensues, people die.

    A insurance company says it won't pay out on life insurance policies, because "act of war"?

    1. Handlebars

      Re: Over there, over here

      Would be better with a more realistic example. Even an income insurance policy won't help if there is hyperinflation on food prices.

    2. Anonymous Coward
      Anonymous Coward

      Re: Over there, over here

      but really, what else would you expect? Decency? From insurers?

  2. Mark Exclamation

    I have mixed feelings about this outcome; on the one hand I want the insurance companies to pay out from their fat wallets and huge profits, but on the other hand, if a company has shit IT security and hasn't funded it sufficiently, they don't deserve a payout, and should be made to suffer financially.

    1. doublelayer Silver badge

      That's why insurance should be more expensive if you don't do things correctly. That way, a place can still get some degree of protection from an attack, but they have an incentive to secure themselves properly to minimize the risk. Insurance companies should, if they intend to cover people for computer security events, audit their clients' security and use the results of that audit to set premiums. I think this process will work much better if the insurance companies have to do that for their own profit motive, and that is less common if they always find some excuse why they never have to pay a claim. So, in a complex chain, I think making the act of war provision more difficult for insurance companies to use will probably improve security of companies that choose to buy insurance.

      1. Joe W Silver badge

        Usually there is clauses to that effect, you, as the insured party, are required to do things to mitigate risks. I am not sure how the terms translate, but I think it is "neglect" and "gross neglect".

        1. Geoff Campbell Silver badge
          Pint

          "Contributory negligence" is used a lot in this context.

          GJC

      2. T. F. M. Reader

        I think that's the main driver of compliance business, from companies like CyberArk selling you a lot of words and a checkbox to scorecards and certifications from the likes of MITRE.

        The actual value of those things is somewhat limited. E.g. CyberArk will say a lot about preventing another Snowden but in practice their methodology would be unworkable in any organization and what they really sell is a checkbox (I got this admission from a pushed-to-a-corner employee, who shall remain anonymous, at one of their customer conferences). MITRE will gladly take your money (for their non-profit purposes, of course, a.k.a. drive compensation up enough and you won't have any profits) for testing you, but they generally tell you in advance what they will test. Etc., etc.

        However, to qualify for cyber insurance you need some acceptable - to insurance companies who are not cyber experts themselves - and independent benchmarks that will let you qualify for sane premium rates, and this is where compliance companies and organizations like MITRE come handy. You will pay through the nose to the former and you will demand the latter's scores from security vendors (who will pass their MITRE costs to you) to get lower insurance rates and mitigate risks if something bad happens. Just cost of doing business.

        With this decision, consider buying compliance stock?

        1. doublelayer Silver badge

          That's all true, and it's certainly no panacea. However, I hope that, if insurance companies decide they're still going to insure cyber risk, they'll eventually put some effort into figuring out which certifications of security policies are good at proving real benefit and which are not. That will only happen if there's a cost to them of not checking, and that will only happen if they have to pay a lot of claims from companies they've insufficiently checked so they fix that process. Maybe some insurance companies will decide that it's still a lucrative market and they'll hire some people to make a better method of auditing and certifying security practices. Or they'll decide it's not and they'll stop selling the insurance, which is also fine with me because then it goes back to being the companies' responsibility to pay for the results of their mistakes.

        2. An_Old_Dog Silver badge

          Insurance Companies: Get Smart(er)!

          to insurance companies who are not cyber experts themselves

          As I've written before, insurance companies would do themselves a world of self-favors to become computer-security experts, or to perhaps set up an Underwriters' Laboratory-type organization expert in computer security which provides advice to the insurance companies.

          1. hayzoos

            Re: Insurance Companies: Get Smart(er)!

            Why not UL become computer-security experts? UL has expanded expertise in the past. The structure is already in place.

      3. Anonymous Coward
        Anonymous Coward

        Our cyber insurance provider required a security audit before they would renew our cyber policy. They also offered some prepaid consultation hours with a cybersecurity consultancy as a benefit with our policy.

        In this case it looks like they are at least trying to improve things for themselves and their clients. There was a definite feeling that they wanted to help us improve our security (and to protect themselves in the process).

        1. An_Old_Dog Silver badge

          Checklist-Based Audits

          Some insurance companies' "security audits" are just a series of checklists with no thinking involved on the part of the auditor. Thus, by checklist rule #188, "Passwords shall be at least eight characters with at least one numeric and one special character", the audited company can pass if their authentication system (AD, NDS, etc.) enforces those minimums, but the root-password-taped-to-the-bottom-of-the-keyboard problem isn't recognized as a problem as it's not in the checklist, and the company will "pass" the "audit".

          That your insurance company offered some prepaid consultation hours with a (presumably-) expert computer security company indicates your insurance company is thinking outside of the checklist-security box, which is all to the good.

      4. Anonymous Coward
        Anonymous Coward

        That's what an excess is for....

    2. Zippy´s Sausage Factory

      If the insurance company had argued that the company's IT department had been woefully negligent, they'd have won it. The fact that they didn't shows it's probably a loss adjuster tactic to try to avoid paying out.

      Because that's what loss adjusters do: try and avoid paying out at all costs. That's literally their entire business model. If they can find a reason not to pay out on a claim, or at least, to lower the value of it, they will. You might have paid £800 for that TV when it was new, but if it's now in the Argos catalogue* for £400, guess how much you're getting to replace it?

      * do they even do the Argos catalogue any more? You get the idea, anyway.

      1. Zippy´s Sausage Factory

        Might have won it, I mean. I can't see the future, nor do I have whoever has replaced Mystic Meg these days on speed dial.

      2. Little Mouse

        They're also going to "create more certainty for policyholders" off the back of this "confusion". Which presumably means re-wording their policies to ensure that these specific circumstances will absolutely not be covered in future.

        1. doublelayer Silver badge

          Which is not as pleasant, but at least they'll have to make things clear when you sign the contract rather than trying to slip it in. If a contract makes it clear that I'm not buying something, at least that means I can compare it to other clear contracts. The worst situation is when it looks like I'm buying something but I'm actually not.

          1. Richard 12 Silver badge
            Unhappy

            Like Homeserve claiming they cover blocked pipes

            But then deciding a pipe that passes about 80% of the legal minimum is not blocked, because some water comes out.

            They did eventually fix it - around about the time they would have got the letter from the ombudsman. Funny that.

            But it took nine months, and meant my new boiler cost me 15-20% more due to inflation (and who knows how much gas in the meantime) as nobody would quote until the water supply was fixed. Impossible to recover that loss as nobody would quote...

            Don't buy their plumbing cover, it's useless.

  3. OhForF' Silver badge

    Paying ransom in the interest of insureds?

    "Protecting our insureds is the reason they buy insurance. Unfortunately, when that means paying a ransom that funds a hostile state-backed adversary it's not in the interest of our country"

    Is the next coming lawsuit about insurance companies only paying the ransom amount if that is lower than the insured costs to clean up the damage after the ransom was not paid?

    1. Richard 12 Silver badge

      Re: Paying ransom in the interest of insureds?

      Paying a ransom is clearly never in the interest of the underwriter, as it funds and encourages further attacks on other insured parties.

      So why is that even considered?

      1. Claptrap314 Silver badge

        Re: Paying ransom in the interest of insureds?

        Long term, no. In time for the next quarterly report however....

        1. Strahd Ivarius Silver badge
          Trollface

          Re: Paying ransom in the interest of insureds?

          Didn't insurance started as a racket?

          "you have a fine building there, it would look bad if it 'spontaneously' burned down to the ground...'

  4. Claptrap314 Silver badge

    Several thoughts

    In the first place, the Geneva conventions were updated after NotPetya to certify that these sorts of things are Acts of War. If the court ruled that the release of NotPetya was not an act of war, the value of this decision as precedence of this appears to be at best limited.

    If the court has taken the position that collateral damage, not being intended, is not an Act of War, that is an interesting theory, but contrary to the Geneva Convention. Collateral damage is a major subject of the convention, and parties at war most certainly be held responsible for it. It is not clear why insurance law would deviate from international law on this subject. (Imagine a bomb dropped on a government building that also destroyed a civilian building next to it. Is the destruction of the civilian building not also an Act of War? !?)

    If the court has taken the position that the intent of the Russians when releasing NotPetya was to only cause damage in the Ukraine, that is an interesting theory, but contrary to the behavior of Russia under Putin both before and after the incident. The team who created NotPetya was certainly highly professional. They were well aware that such virus always spread beyond their nominative targets. This was not, however, an "unfortunate side effect". It was intended to terrorize Western populations into allowing Russia to do as it pleased. "See what happens when we don't get our way? Do you want more?" Russia's behavior towards Ukraine has not been an undeclared war against Ukraine alone, but against the entire Western system. This was an attack on the West generally, with Ukraine being the immediate target.

    I have long hoped that the insurance industry would spur companies to clean up their act. As I have said before, it has sadly become clear that this is not likely to go anywhere. As it stands, almost nobody is any good against an attacker capable of researching their own zero days, and almost every commonly used software has turned up serious security bugs when the adults have dug hard. The reason for this is that the customer does not want to pay for security. No amount of box-checking (SOC II) is going to fix that.

    Security surveys & audits are now part of my job. The entire exercise has been quite the letdown. On the other hand, it is extremely clear that a serious audit would involve full access to the code by a team of expert white hats. No one is going to pay for that.

    The industry is uninsurable. When the insurance industry fully digests that, we might get a start of some useful change.

    1. Someone Else Silver badge

      Re: Several thoughts

      It is not clear why insurance law would deviate from international law on this subject.

      "Insurance law"? Now, there's a concept....

    2. katrinab Silver badge
      Black Helicopters

      Re: Several thoughts

      Do we know that it was released by the Russian government, and not by some Russian programmers who wanted to make money out of it? Given that it “worked” the odds of it being a government IT project are negligible.

      1. Clausewitz4.0 Bronze badge
        Black Helicopters

        Re: Several thoughts

        Most likely we will never know for sure.

        Was Stuxnet a cyberweapon created by USA/Israeli hackers? Likely. Are you sure? Anyone spilled the beans? No.

        1. Strahd Ivarius Silver badge
          Facepalm

          Re: Several thoughts

          Not yet, just wait for the next young guy with unlimited access to secret data to spill the beans to impress his buddies...

  5. Jaybus

    How much is the annual premium is for a multi-billion dollar policy? Millions, right? I feel confident that they could hire 60 or 70 highly trained security professionals at $100k/yr with that premium amount and not have $1.4 billion damages in the first place.

    1. Michael Wojcik Silver badge

      For an operation the size of Merck's, with the amount of geographically-distributed legacy technology they have, I would not want to bet that "60 or 70 highly trained security professionals", assuming they could be found and would be willing to work for "$100k/yr" (I certainly wouldn't!) could fix the problem in time.

      There are some details about Merck's adventure with NotPetya in Sandworm. It's worth noting that ETERNALBLUE was only patched in 2017 – the same year it was used in NotPetya. That's not a long time to respond, particularly in the context of the continual stream of attacks against any organization of any significant size.

  6. M.V. Lipvig Silver badge
    Thumb Up

    What would be interesting

    is if this could be twisted around to put liability on the software writers, regardless of their T&Cs, that if their code allows a virus and it's found to be due to the code being sloppy. If the insurance companies could reclaim some of the money paid out from, say, M$ or the other major offenders, perhaps we'd start getting OSs that aren't festering piles of malware.

    1. OhForF' Silver badge

      Liability for "sloppy code"

      In most jurisdictions you should already be able to sue for damages if you can prove that the damage was directly (1) caused by a specific piece of software that contains flaws that were introduced willfully or by (gross) negligence while the program was used for its intended purpose. Of course if you are responsible for the system you will need to demonstrate that you did your due diligence (backups, installing security patches, monitoring the system, anti virus, running the software with minimal necessary permissions, ...) to avoid the damage or you might be held liable as well.

      Proving that negligence is not as easy as it sounds, especially when defenders can point out that there are dozens of CVE's proving the same vulnerabilities are regularly produced by the biggest software vendors.

      (1)Do you expect the producer of the immobilizer in your car to be liable when someone unauthorized manages to start your car and damages other cars in your neighborhood?

  7. Jemma

    What else would you call it?

    An Act of Extreme Snuggles??

    Someone has attacked this company with the intent of putting it out of business, harming their customers and employees, and causing untold damage, delay, lack of earnings etc. In addition they've done it against a medical company so that's patients as well. I'd consider that an act of war against the company and against the state wherein that company resides for one simple reason. *PATIENTS*. This by extension is an attack on the population of the country concerned which will likely cause harm and death and that, by definition, is an act of war. If it was Ford, or FCA, or a company that makes greetings cards? Not so much, but this is an act against a state albeit indirectly.

    Given the hospital I'm being treated at was recently hit by the same situation I'd happily hunt these people down if I was a government and publically execute them on national daytime TV, because this situation can, and probably already has, cause(d) deaths and it needs to be stopped, stone dead if you'll excuse the pun. They're should be a law, you attack any health, water, power, or infrastructure related business and get caught and its a headshot on daytime TV.

    And considering the business Merck is in, they need to be up and running as soon as possible because they're a MAJOR player in their market. But they won't because "probably communism" to help a fundamental health business keeping your citizens alive...

    PS. Mods. Getting kinda tired of cretins hunting down three month plus old comments to down vote them because in my opinion the sun doesn't shine out of #Retardistans arse, you know the country that bankrolled the Soviets, Nazis (not fascists), bin Laden, Hussein, Gaddafi and the IRA... And have an unhealthy relationship with #Kiddiepizza...

  8. Henry Wertz 1 Gold badge

    Seems fair

    Seems fair. I mean, to me it seems clear the "act of war" exemption is meant so, if some city got a nuclear bomb dropped on it, it wouldn't immediately bankrupt every insurance company in the country (that did any significant underwriting in that city). Not so an insurance company can insure for ransomware, and then weasel out of paying for it. (That said, $1.4B? Merck must have bought pretty good insurance!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems fair

      If you remove the "act of war" exemption, insurers will then have the greatest incentive to ensure that NO ONE will start a war.

      Given their monetary power (and also their shady connections), one can expect universal peace in a few years...

  9. Tron Silver badge

    Some things are just not viable.

    Insuring against hacking/malware threats may not be commercially viable. if I ran an insurance company, I wouldn't offer it.

    Although insurers have a poor reputation - often deserved - they have a risk model and if something is too great a risk, they can't insure it.

  10. Anonymous Anti-ANC South African Coward Bronze badge

    Maersk, not Merck?

    One is a carrier, the other a pharma comp.

    I'll see myself out now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like