Cyber hacking by sovereign entities: does this mean war?

In June 2017 a pharmaceutical company Merck suffered a cyber attack.  The source is alleged to be an attack created by a Russian military intelligence agency.

It is suggested that Merck was not the intended primary target of the attack.  Regardless, the impact on Merck was extraordinarily large, effectively taking out its systems.

Consequent on the attack Merck reported $870 million in damage because it was was unable to produce an important product. 

Merck carried insurance for cyber attacks, or so it thought.  It has coverage for up to $1.75 billion for catastrophic risks, including the destruction of computer data, coding and software.

Merck’s claims have been rejected by the insurer and Merck has commenced litigation to seek coverage.  The defence relied upon by the insurers is that the claim was excluded on the basis that the attack was hostile or war like or an act of terrorism. This is apparently because the alleged perpetrator is part of a sovereign entity.

The result is that Merck has been out of pocket for some considerable time in funding the losses that it has suffered and, even if it is successful in its claim for policy indemnity, may well be out of pocket for some further considerable period of time.  If it is unsuccessful, then it will never recover those losses.

Further, given that sovereign states are thought to be significant contributors to cyber disruption, the precedent could prove to be an important one.

It is a salient warning for the challenges that organisations face.  If a cyber attack hits, then undoubtedly organisations will expect to receive the comfort of an insurance policy that provides coverage for which they have paid.  It is apparent that this may not be the outcome. It is also apparent that the wait may be lengthy and that organisations may need to try to fund the losses in the meantime.

While cyber attacks cannot always be prevented, organisations that take steps actively to reduce their risk of attack and therefore their risk of exposure, will avoid the losses caused by cyber attack and the uncertainty of whether their claims for indemnity will be met by their insurers.

If you have any questions in relation to this article, please contact Iain Freeman.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.