Page 29 - Insurance Times August 2023
P. 29

launched in June 2017 on the eve of Ukrainian Constitution  some liability, the majority of the participants of the insurance
          Day. The report of the attack first came from Ukrainian  program led by Chubb (ACE American Insurance Company)
          companies, but soon spread across the world. The cyber attack  denied the claim on the grounds of exclusion of war, as the
          impacted various business organizations and government  perpetrators of the attack were linked to the sovereign
          entities spread across more than sixty-four nations around  nation-state of Russia.
          the  world.  Among  those  affected  were  the  US
                                                              Mondelez International incurred damage of 100 million USD
          pharmaceutical company Merck & Co, with an estimated
                                                              when the attack infected 24,000 laptops and 1,700 servers.
          damage of $870,000,000; multinational food and beverage
                                                              Mondelez's policy covered  "physical loss or damage to
          company Mondelez International,  with an estimated
                                                              electronic data, programs, software, including physical loss
          damage of $188,000,000; Danish shipping conglomerate
                                                              or damage caused by the malicious introduction of machine
          Maersk, with an estimated damage of $300,000,000 and
                                                              code or instruction" and thus considering the circumstance
          even Russia's state-owned oil giant Rosneft. The total damage
                                                              of the attack they also raised a claim in their policy. Mondelez
          from the NotPetya attack, as estimated by the White House
                                                              also confirmed in the court filings that the policy was updated
          stood at $10 billion.
                                                              in 2016 to include losses caused by "malicious introduction of
                                                              machine code or instruction". However, the insurer  Zurich
          The American government blamed the attack on the Russian
                                                              American Insurance distanced itself from the claim raised by
          military. A cyber warfare group by the name of Sandworm,
                                                              Mondelez International. Like in the case of Merck, here too
          working under the Russian military intelligence service, was
                                                              the exclusion of war in Mondelez's insurance was used as the
          identified as the main perpetrator of the attack. The Federal
                                                              ground for the denial of the claim (exclusion B.2(a) in the
          Bureau of Investigation, USA even named 6 GRU (Russian
                                                              concerned policy).
          Military) officials as the hackers involved in the said attack.
          The United Kingdom and Australian governments also put The claim repudiation letter, dated June 1, 2018,
          the responsibility for this attack on the Russian Military and  defined war as :
          Government.  Many experts  considered the  attack  an
                                                              "Hostile or warlike action in time of peace or war including
          extension of the armed conflict between Ukraine and Russia.
                                                              action in hindering, combating, or defending against an
                                                              actual, impending, or expected attack by any
          The Cases:                                          i)  Government or sovereign power (de jure or de facto)
          As per court documents Merck's computer system got infected  ii)  Military, naval, or air force; or
          which included more than 40,000 machines integrated with
                                                              iii) Agent or authority of any party specified in i or ii above."
          its global network and reported damage to the tune of  $1.4
          billion. Merck preferred a claim in its global property insurance
                                                              Both the insured reached court to seek remedy which started
          which had a consortium of insurers led by subsidiaries of
                                                              a lengthy litigation process.
          Chubb. Following the claim while some insurers admitted to
                                                              The verdict:
                                                              In January 2022 the Superior Court of New Jersey awarded
                                                              Merck the victory, disallowing the insurer's application of war
                                                              exclusion. The court in its wisdom didn't even get into the
                                                              question of whether a sovereign nation-state was behind the
                                                              attack but instead focused on interpreting the term war in
                                                              its most obvious and literal sense. The Court decided that the
                                                              cyber attack can't be termed as a hostile act or war even if it
                                                              originated from a foreign sovereign-backed entity.  The judges
                                                              were of the opinion that describing the cyber attack as war
                                                              meant stretching the term to its 'outer limit'. The fact that
                                                              Mercer itself is a non-military company further went in its
                                                              favor and was considered collateral damage. The judgment

                                                                        The Insurance Times  August 2023   23
   24   25   26   27   28   29   30   31   32   33   34