2026.02 | 本所游淑君律師/民間公證人共同著作發表【數位時代戰爭的重新定義:默克案與資安保險的演變】全國律師期刊2026年2月號|台北律師|中正區律師
【文章標題】
數位時代戰爭的重新定義:默克案與資安保險的演變
Redefining War in the Digital Age: The Merck Case and the Evolution of Cyber Insurance (Taiwan Bar Journal, 2026)
【全文電子檔連結】
https://www.twba.org.tw/publication/articles/098446a9-7ed9-469e-93b7-ced3d6563fa8
【內容摘要】內容介紹
隨著企業營運高度依賴數位系統與網路服務,網路攻擊所造成的營運中斷、資料外洩與財務損失風險日益增加。為降低此類風險帶來的衝擊,企業逐漸透過投保「資安保險(Cyber Insurance)」作為風險移轉工具。近年來,全球資安保險市場快速成長,企業對於資安風險管理的需求亦持續提升。
然而,當網路攻擊涉及國家或國家支持的行為者時,傳統保險保單中的條款設計往往難以直接適用,並可能引發重大理賠爭議。美國製藥公司默克公司(Merck & Co.)因2017年「NotPetya」網路攻擊所引發的保險訴訟,即為此類爭議的重要案例。
該案件不僅影響資安保險市場的條款設計,也促使法律界重新檢視「戰爭除外條款」(war exclusion)在數位時代的適用範圍。
NotPetya攻擊與默克案爭議
2017年6月爆發的NotPetya惡意軟體攻擊,最初針對烏克蘭政府與企業,但隨後迅速擴散至全球企業,包括航運公司Maersk、物流企業FedEx,以及製藥公司Merck等跨國企業。
在此次攻擊事件中,默克公司約有40,000台電腦系統癱瘓,造成生產與供應鏈中斷,整體損失估計高達14億美元。
默克公司依其投保的財產全險保單(Property All Risks Policy)向多家保險公司提出理賠申請。然而,保險公司以保單中的「敵對或戰爭行為除外條款」(Hostile/Warlike Action Exclusion)為由拒絕理賠,主張NotPetya攻擊係由俄羅斯支持的網路行動,因此屬於國家敵對行為。
對資安保險市場的影響
默克案之後,全球保險市場開始重新檢視資安保險保單條款的設計。
其中,倫敦勞合社(Lloyd’s of London)自2023年起要求市場成員在資安保單中明確規範國家支持網路攻擊的除外條款,並建立攻擊歸因機制,以降低大型網路攻擊造成的系統性風險。
結語: 企業在資安保險上的風險管理考量
默克案揭示了傳統保險條款在面對數位衝突時的侷限性,也促使保險市場重新思考資安保險的條款設計與風險分配方式。
隨著網路攻擊事件日益頻繁且複雜,企業在規劃資安風險管理策略時,除了加強資安防護措施外,亦應審慎評估資安保險保單條款,以確保在重大網路事件發生時能獲得適當的風險保障。
未來,隨著法律實務與保險市場持續演進,資安保險制度亦將逐步建立更清晰的法律框架,以因應數位時代的新型態風險。
Key Takeaways
- Traditional war exclusion clauses may not automatically apply to cyberattacks. Courts may interpret such clauses narrowly if policy language does not explicitly address cyber operations.
- The Merck litigation has become a landmark precedent in cyber insurance law. The case illustrates how ambiguities in insurance policy wording may lead courts to favor policyholders.
- The insurance market is revising cyber policy language. Following the Merck decision, insurers—particularly within the Lloyd’s market—have introduced clearer exclusions for state-backed cyber operations.
- Businesses should carefully review cyber insurance coverage. Companies should ensure that policy terms align with their cyber risk exposure and form part of a broader cyber risk management strategy.
Introduction
As corporate operations increasingly rely on digital systems and online services, the risks of operational disruption, data breaches, and financial losses caused by cyberattacks continue to grow. To mitigate the impact of such risks, companies have increasingly turned to cyber insurance as a risk transfer mechanism. In recent years, the global cyber insurance market has expanded rapidly, reflecting the rising demand among businesses for more robust cyber risk management strategies.
However, when cyberattacks involve nation-states or state-sponsored actors, the provisions of traditional insurance policies are often difficult to apply directly, which may lead to significant coverage disputes. The insurance litigation involving the U.S. pharmaceutical company Merck & Co. arising from the 2017 NotPetya cyberattack represents one of the most notable cases illustrating these issues.
This case has not only influenced the drafting of cyber insurance policy terms but has also prompted the legal community to reexamine the applicability of war exclusion clauses in the digital era.
The NotPetya Attack and the Merck Coverage Dispute
The NotPetya malware attack, which erupted in June 2017, initially targeted Ukrainian government agencies and businesses but quickly spread worldwide, affecting numerous multinational companies, including shipping company Maersk, logistics firm FedEx, and pharmaceutical manufacturer Merck.
As a result of the attack, approximately 40,000 of Merck’s computer systems were rendered inoperable, causing significant disruptions to production and supply chains. The company estimated its total losses at approximately USD 1.4 billion.
Merck subsequently filed insurance claims under its Property All Risks insurance policies. However, several insurers denied coverage based on the policy’s “Hostile or Warlike Action Exclusion”, arguing that the NotPetya attack was a cyber operation supported by Russia and therefore constituted a hostile state action excluded under the policy.
Impact on the Cyber Insurance Market
Following the Merck litigation, the global insurance market began reassessing the drafting of cyber insurance policy provisions.
In particular, Lloyd’s of London introduced new requirements beginning in 2023, mandating that market participants clearly define exclusions for state-backed cyberattacks in cyber insurance policies and establish mechanisms for attributing cyber incidents. These measures aim to reduce the systemic risks posed by large-scale cyber incidents.
These developments reflect a broader effort by insurers to clarify policy wording and reduce uncertainty in cyber coverage disputes.
Conclusion: Risk Management Considerations for Businesses
The Merck case highlights the limitations of traditional insurance policy language when applied to modern digital conflicts and has prompted the insurance market to reconsider how cyber insurance policies allocate risk.
As cyberattacks become increasingly frequent and sophisticated, companies should adopt a comprehensive approach to cyber risk management. In addition to strengthening cybersecurity protections, businesses should carefully review and evaluate cyber insurance policy terms to ensure that adequate coverage is available in the event of major cyber incidents.
Looking ahead, as legal practice and the insurance market continue to evolve, the cyber insurance framework is expected to develop clearer legal standards and contractual structures to address emerging risks in the digital age.
©Debby S.C.Yu, 2025. All rights reserved.
Unauthorized reproduction or distribution of this article, in whole or in part, without prior written permission is strictly prohibited.
#Devote Today, YU LEAD tomorrow.
#力譽專業、信任保障