On March 21, 2022, President Biden warned the nation that intelligence reports indicated that Russia was exploring cyberattacks against American companies, stating “… one of the tools [Putin is] most likely to use in my view, in our view, is cyberattacks.” This escalated threat comes on the heels of the imposition of severe sanctions on Russia as a result of its invasion of Ukraine. This increased risk of potentially devastating cyberattacks occurs amidst an already fraught environment in which ransomware attacks more than doubled in 2021 (see Amiah Taylor, There’s a huge surge in hackers holding data for ransom, and experts want everyone to take these steps, (Feb. 17, 2022)) and, after a brief retreat this past January, is back on the rise. As a result, cyber-insurance providers have had to reevaluate how to account for the additional risk posed by cyber-attacks in a war-time setting. It is against this already-complicated background that made the December 2021 decision in Merck & Co., Inc. and International Indemnity v. Ace American Insurance Company, Case No. UNN-L-2682-18 (N.J. Sup. Ct.), by a New Jersey Superior Court notable for its potential consequences to the cyber-insurance market for small to medium-sized American businesses.
Despite the massive increase in cyber-attacks facing American companies over the last five years, the risk of a direct Russian cyber-attack on smaller companies is unlikely. Rather, while the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware. The best known example of this is of course the NotPetya attack. In the summer of 2017, Russia launched a ransomware attack against a Ukrainian tax preparation software company as part of its years-long assault on Ukraine. The attack led to the infection of dozens of Ukrainian companies and institutions, including the National Bank of Ukraine, but almost immediately created global ripples, leading eventually to billions of dollars in damages. Victims included international shipping behemoth Maersk, Mondelez International, and pharmaceutical giant Merck, but also much smaller entities. Regardless of size, these victims found themselves completely locked out of their networked systems, grinding them to an operational standstill. In effect, they had become collateral damage in Russia’s cyber-campaign against Ukraine.
