In 2017, a devastating ransomware attack known as NotPetya initially targeted Ukrainian entities, but its reach expanded beyond, impacting dozens of international companies and costing billions in damages. Recently, Goldberg Segalla’s James E. Vinocur, a partner in the Cybersecurity and Data Privacy practice, wrote to New York Law Journal and explored the rippling effects this cyber-attack has had on the world of cyber risk damages.
Merck, one of the companies targeted in the attack, turned to its insurer for $1.4 billion in relief. However, the insurer refused to pay with the claim that the NotPetya attack was an “act of war” by Russia (to whom the attack has largely been attributed). In January 2022, the New Jersey Superior Court found that Merck was in fact owed the $1.4 billion from its insurer. The current situation in Ukraine includes cyber-hostilities by Russia, causing the potential for more businesses to suffer similar losses and file similar insurance claims, making the importance of the court’s decision increasingly important.
“…while the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware,” he explained.
James emphasized that, within this volatile space, the insurance industry has begun to adjust war exclusions within the cyber context and as such “…the question of determining if a cyber-attack falls under an applicable war or cyberwar exclusion, regardless of the type of policy, will be heavily fact-dependent and carry several challenges.”
“The proliferation of cyber-attacks and the heightened risk brought on by the war in Ukraine therefore underscores the necessity of cyber-insurance but also importantly the insured’s need for quick payment to cover remediation, incident response, and regulatory compliance costs,” James concluded.
James E. Vinocur is a highly experienced litigator with more than 10 years of experience handling matters in New York courts. His extensive experience includes data privacy litigation, cyber and white-collar fraud, including institutional and corporate cyber intrusions and theft, international money laundering schemes, business email compromise fraud, international identity theft rings, SIM swapping schemes, and complex cryptocurrency fraud.