By the time Deb Dellapena arrived for workat Merck & Co.'s90-acre campus north of Philadelphia, there was a handwritten signon the door: The computers are down.

It was worse than it seemed. Some employees who were already attheir desks at Merck offices across the U.S. were greeted by aneven more unsettling message when they turned on their PCs. A pinkfont glowed with a warning: "Ooops, your important files areencrypted. … We guarantee that you can recover all your filessafely and easily. All you need to do is submit the payment …" Thecost was $300 worth of bitcoin per computer.

The ransom demand was a ruse. It was designed to make thesoftware locking up many of Merck's computers—eventually dubbedNotPetya—look like the handiwork of ordinary criminals. In fact,according to Western intelligence agencies, NotPetya was thecreation of the GRU, Russia's military intelligence agency—the sameone that had hacked the Democratic National Committee the previousyear.

NotPetya's impact on Merck that day—June 27, 2017—and for weeksafterward was devastating. Dellapena, a temporary employee,couldn't dig into her fact-checking work. Interns and temps bidedtheir time at their desks before some of them were sent home a weeklater. Some employees gossiped, their screens dark. Others watchedvideos on their phones.

In all, the attack crippled more than 30,000 laptop and desktopcomputers at the global drugmaker, as well as 7,500 servers,according to a person familiar with the matter. Sales,manufacturing, and research units were all hit. One researcher tolda colleague she'd lost 15 years' worth of work. Near Dellapena'ssuburban office, a manufacturing facility that supplies vaccinesfor the U.S. market ground to a halt. "For two weeks, there wasnothing being done," Dellapena recalls. "Merck is huge. It seemedcrazy that something like this could happen."

As it turned out, NotPetya's realtargets were half a world away, in Ukraine, which has been inheightened conflict with Russia since 2014. In the former Sovietrepublic, the malware rocketed through government agencies, banks,and power stations—even the Chernobyl radiation monitoring system.Merck was apparently collateral damage. NotPetya contaminated Merckvia a server in its Ukraine office that was running an infected taxsoftware application called M.E.Doc.

NotPetya spread. It hopped from computer to computer, fromcountry to country. It hit FedEx, the shipping giant Maersk, theglobal confectioner Mondelēz International, the advertising firmWPP, and hundreds of other companies. All in all, the White Housesaid in a statement afterward, it was the "most destructive andcostly cyberattack in history."

By the end of 2017, Merck estimated in regulatory filingsthat the malware did $870 million in damages. Among other things,NotPetya so crippled Merck's production facilities that it couldn'tmeet demand that year for Gardasil 9, the leading vaccine againstthe human papillomavirus, or HPV, which can cause cervical cancer.Merck had to borrow 1.8 million doses—the entire U.S. emergencysupply—from the Pediatric National Stockpile. It took Merck 18months to replenish the cache, valued at $240 million. (The Centersfor Disease Control and Prevention say the stockpile's ability todeliver medicine wasn't affected.)

Cyberattack or 'Act of War'?

In response, Merck did what any of us would do when facing adisaster: It turned to its insurers. After all, through itsproperty policies, the company was covered—after a $150 milliondeductible—to the tune of $1.75 billion for catastrophic risksincluding the destruction of computer data, coding, and software.So it was stunned when most of its 30 insurers and reinsurersdenied coverage under those policies. Why? Because Merck's propertypolicies specifically excluded another class of risk: an act ofwar.

Merck went to court, suing its insurers, including such industrytitans as Allianz SE and American International Group Inc., forbreach of contract, ultimately claiming $1.3 billion in losses.

In a world where a hacker can cause more damage than a gunship,the dispute playing out in a New Jersey courtroom will havefar-reaching consequences for victims of cyberattacks and theinsurance companies that will or will not protect them. Untilrecently, the big worry associated with cyberattacks was data loss.The NotPetya strike shows how a few hundred lines of malicious codecan bring a company to its knees.

As the nascent cyber insurance market has grown, so hasskepticism about pricing digital risk at all. Few people understandrisk as well as Warren Buffett, who's built conglomerate BerkshireHathaway Inc.—and one of the world's biggest personal fortunes—onthe back of insurance companies such as Geico and NationalIndemnity Co. "Frankly, I don't think we or anybody else reallyknows what they're doing when writing cyber," he told investors in2018. Anyone who says they have a firm grasp on this kind of risk,he said, "is kidding themselves."

Those who could be on the receiving end of cyberattacks don'tunderestimate the peril. Asked in September what kept him up atnight, BP Plc CEO Bob Dudley said that aside from the transitionaway from fossil fuels, the threat of a catastrophic cyberattackworried him most. "It's the one that you can have the least controlof," Dudley said on a call with investors. "That one keeps me awakeat night."

The depths of these concerns show why the fight between Merckand its insurers is not only about what happened on a summer's dayin 2017. It's about what companies and their insurers fear lurksover the horizon.

Union County's imposing 17-storyneoclassical courthouse in Elizabeth,N.J., is a 15-minute drive from Merck's global headquarters inKenilworth. It's also relatively conveniently located for thephalanxes of East Coast lawyers, from firms such as Covington &Burling and Steptoe & Johnson, who come here to do battle overthe Merck case.

Their numbers are growing. One Monday in November, a dozendark-suited lawyers filed into Judge Robert Mega's 14th-floorcourtroom. They were there to discuss pro hac vice ("for this timeonly") applications to allow five additional colleagues to practicetemporarily in New Jersey.

Merck has already collected on some property insurance policiesthat specify coverage for cyber damage while also settling with twodefendants in the lawsuit for undisclosed amounts. One thatsettled, syndicate No. 382 at the insurance marketplace Lloyd's ofLondon Ltd., was in a group that covered losses only if they rangedfrom $1.15 billion to $1.75 billion. A spokesman for CNA FinancialCorp., which is tied to the syndicate, declined to comment.

The lawsuit in Union County addresses only property insuranceclaims. The $1.3 billion in losses that Merck claims includesexpenses such as repairing its computer networks and the costs ofbusiness that was interrupted by the attack. Units of Chubb Ltd.,Allianz, and other insurers have denied coverage on grounds thatNotPetya was a "hostile or warlike" act or an act of terrorism,which are explicitly excluded by their policies.

As far as Merck is concerned, it was struck not by any of thoseexcluded acts, but by a cyber event. "The 'war' and 'terrorism'exclusions do not, on their face, apply to losses caused by networkinterruption events such as NotPetya," the company's lawyers wrotein an Aug. 1 filing. "They do not mention cyber events, networks,computers, data, coding, or software; nor do they contain any otherlanguage suggesting an intention to exclude coverage for cyberevents."

Lawyers for the insurance companies declined to comment for thisstory, as did Merck's attorneys. Merck declined to comment on thehack or the lawsuit beyond what's in their public filings.Addressing the broader issue, Merck CFO Robert Davis says, "Wecontinue to make sure we fully invest to protect ourselves againstthe cyber threats we see." He didn't disclose how much Merck spendson cybersecurity.

As Solid a Case as Insurers Are Going to Get

The courts in the U.S. struggled with these matters long beforecyber came along. Even under clearer circumstances—as when theJapanese bombed Pearl Harbor on Dec. 7, 1941—lawsuits betweeninsurers and victims over similar exclusions tied U.S. courts inknots. In cases involving life insurance payouts after PearlHarbor, courts in different parts of the country split, with somejudges ruling that the exclusions didn't apply and other judgessaying they did.

The NotPetya attack will catapult the U.S. legal system intoeven murkier terrain. Nation-states for years have been developingdigital tools to create chaos in time of war: computer code thatcan shut down ports, tangle land transportation networks, and bringdown the electrical grid. But increasingly those tools are beingused in forms of conflict that defy categorization, including the2014 attack that exposed emails and destroyed computers at SonyPictures Entertainment Inc. The U.S. government blamed that attackon North Korea. Sony settled claims by ex-employees.

In the Merck lawsuit, the insurers may well see an opportunityto test their legal theories and find out if they can meet theirburden of proving that war exclusions should apply. Fighting ineastern Ukraine between Russian-backed separatist forces andUkraine's military has killed thousands. Speaking about NotPetya,Olga Oliker, a senior adviser to theWashington-based Center for Strategic and International Studies,said in testimony before the U.S. Senate in March 2017, "If thiswas, indeed, an orchestrated attack by Russia, it is an example ofprecisely the type of cyber operation that could be seen aswarfare, in that it approximates effects similar to those thatmight be attained through the use of armed force."

Informed analysis doesn't equal the evidence insurance companiesreally want, however. If there is "smoking gun" proof that would beuseful to the insurers' legal arguments, it probably resides out ofreach: in classified U.S. or U.K. intelligence assessments that mayhave been based on intercepted communications and evidence obtainedby hacking the attackers' computers. Even so, Philip Silverberg, a leadlawyer for the insurers, wrote to Judge Mega on Sept. 11, "Theinsurers are confident that there is evidence to demonstrateattribution of NotPetya to the Russian military."

To get it, the insurers will lean on the work of computerforensic experts who've analyzed NotPetya and may be able totestify that it bears the hallmarks of a Russian militaryoperation. That analysis is complicated, because attackers oftenmask their identities and can mislead investigators. The insurersmay get a little help from the Trump administration. In itsFebruary 2018statement, the White House said NotPetya "was part of theKremlin's ongoing effort to destabilize Ukraine and demonstratesever more clearly Russia's involvement in the ongoingconflict."

"When the president of the United States comes out and says,'It's Russia,' it's going to be hard to fight," says Jake Williams,a former National Security Agency hacker who now helps companieshunt for vulnerabilities in their computer networks. "I'll besurprised if the insurance companies don't get a win. This is assolid a case as they're going to get."

In addition, the insurers are likely to probe whether Merck didas much as it could to defend itself against a NotPetya-likeattack: Was the company, for example, vigilant in updating itscomputer software?

The arguments and counterarguments unfolding in Elizabeth aresometimes arcane and convoluted. But what triggered them is plainto see. The attack that ricocheted around the world on June 27,2017, was "the closest thing we've seen" to a cyber catastrophe,says Marcello Antonucci, global cyber and technology claims teamleader at insurer Beazley Plc. "NotPetya was a wake-up call foreverybody."

To What Degree Can Data Help?

For companies and their insurers, the numbers are daunting. Thecost to businesses and insurers of a single global ransomwareattack could hit $193 billion, with 86 percent of that uninsured,according to a 2019 report from a group that includes Lloyd's ofLondon. Some estimates of total annual business losses fromdata breaches rise to more than $5 trillion by 2024.

"We're always looking to simulate what the Hurricane Andrew ofcyber would be," says Scott Stransky, vicepresident and director for emerging risk modeling at AIR Worldwide,a unit of Verisk Analytics Inc. Stransky leads a team—data geeks,Ph.D.s, even a certified ethical hacker who worked at the U.S.Department of Defense—that creates and stress-tests models designedto assess future cybercosts. The tools deployed by the group areuseful to insurance companies tapping into the lucrative cyberinsurance market. The armaments include thousands of insuranceclaims as well as data from internet sensors that track trafficbetween corporations and business partners, sniffing out malware ordetermining whether network ports are vulnerable to incursions byoutsiders. "NotPetya is not even close to the worst-case scenario.It can get much, much worse."

As the Merck case is highlighting, the insurance industry'sexposure to cyber damage is almost incalculably hard to grasp. Theproblem isn't the relatively modest pool of cyber policies thatinsurers are writing; they amounted in the U.S. to $3.6 billion inpremiums in 2018, according to the National Association ofInsurance Commissioners. The bigger worry is that cyberattackscould spill over into the vastly deeper pool of property/casualtypolicies that insurers wrote in the U.S. in 2018—$621 billion worthin all.

Buffett's notion—that experts like Stransky are "kiddingthemselves"—nags at Stransky. Cyber events are unlike weatherevents in important ways. There's far less data because companiesoften hide what happens to them or downplay the damage.Furthermore, hacks and the defenses against them are not governedby ecology or physics. Hackers have so-called zero-days—computervulnerabilities known only to them and for which there is nodefense. And it's almost impossible to predict what a Russia or anIran might do based on its past actions.

Stransky concedes all of that, but he remains optimistic thathis data work will help clarify the clouded picture faced byinsurers and their clients. "I'm not going to say this is thepanacea," he says. "It's just one part of the process."

|

Insurers Are Seeking Clarity

A few years before NotPetya, China's military and intelligenceagencies were stealing the secrets of global corporations at analarming rate, giving a boost to the cybersecurity business. Mostexperts agree that threat has abated in the wake of a 2015U.S.-China cybersecurity agreement and a reorganization of theChinese military.

New and increasing threats are coming from ransomware and othermalicious code designed to hijack, destroy, or alter data. Victimscome in all sizes. Petty criminals, to cite one example, regularlyuse ransomware to lock up patient data in dentists' offices incapers that bring in a few thousand dollars. But for the mostsophisticated cybercriminals, the choice targets are companies thatmake up a nation's infrastructure: manufacturers, power companies,gas pipeline operators, banks.

AndrewMorrison leads strategy, defense, and response for thecyber practice at Deloitte & ToucheLLP, and his team is busier than ever. Manufacturers areparticularly vulnerable, including aluminum companies with smeltersvalued at almost $1 billion that could be ruined in a cyberattack,Morrison says. "Taking down the manufacturing facility, taking downthe supply chain, all have dramatic impacts," he says. "Clientsgenerally aren't as well-prepared in that space because it's legacyequipment run by a shop steward on a machine floor and it's verydifficult to secure."

That risk has increased as more industrial companies useinterconnected devices that are embedded in their systems. Earlierthis year, a ransomware attack hit aluminum producer Norsk HydroASA, halting production at some plants that fashion the metal intofinished products. As manufacturers upgrade industrial systems,cyberattacks threaten to cripple production and ripple throughsupply chains.

Given how scary the future looks, the Merck case is, in someways, an effort by insurers to turn back the clock. They wantclarity. The industry is working to write its policy exclusions insuch a way as to avoid any confusion over whether a digital attackis covered or not.

Standalone cyber policies give insurers the clarity they want.But property policies historically haven't taken into account thepotential for damage in a cyberattack. This raises the dreadprospect of what's known as "silent cyber"—the unknown exposure inan insurer's portfolio created by a cyber peril that hasn't beenexplicitly excluded or included.

Insurers such as AIG or the underwriters governed by Lloyd's arenow tightening the language around what events they'll cover.Lloyd's said in July that certain policies must state more clearlywhether cyberattacks are covered. AIG said that starting inJanuary, almost all of its policies for businesses should make thatclear, culminating a six-year effort.

In Elizabeth, the action has been going on behind closed doors.Witnesses will testify on such subjects as what insurers intendedin drafting exclusions for acts of war or terrorism and what Merckbelieved its coverage meant. Some insurers drafted new war or cyberexclusions for policies after NotPetya, but Judge Mega ruled thatinsurers don't have to disclose documents showing why they changedtheir policies after the attack.

In early 2020, experts will testify behind closed doors as towhat constitutes an act of war in the cyber age. The case could besettled at some point—or it could drag on for years before going totrial.

The challenge for insurers is to show that NotPetya was an actof war even though there's no clear definition in U.S. law on whatthat means in the cyber age. Mega will also have to analyzeinternational law, says Catherine Lotrionte,a former CIA lawyer who's taught at Georgetown University. "It'snot going to be an easy case for a judge in the U.S. to declarethat this was an act of war," she says. "It's not just whetheranother country did it, but does it meet the legal criteria underinternational law for an armed attack?"

Whichever way the courts rule, one stark reality is clear: Theera of cyber weapons is forcing companies to defend themselvesagainst a scale of threat that, in the conventional world, wouldhave merited government help. With the insurance companies workingto protect themselves against cyber risk, and because there's onlyso much that governments can do, companies such as Merck have nochoice but to build their own defenses to manage risk.

—With Kelly Gilblom

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.