Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack
The Pharmaceutical giant Merck has finally obtained a settlement with its insurance policy providers over a June 2017 cyberattack that Merck claimed resulted in $1.4 billion in damages. Merck was infected with the infamous NotPetya wiper malware – a malware variant that appeared to be ransomware but was in fact a wiper. The malware has been linked to Russian state-sponsored hackers and was used to attack targets in Ukraine, but attacks occurred globally, resulting in an estimated $10 billion in losses worldwide.
Merck was badly hit by the attack and claimed that 40,000 of its computers were wiped by NotPetya malware, and when it tried to recover those losses under its ‘all-risk insurance policies, its insurers refused to pay out, claiming the cyberattack was excluded as the policy did not cover acts of war.
Merck challenged the decision and maintained that the exclusions in its insurers’ policies did not apply to NotPetya and a trial court judge ruled in Merck’s favor. After examining the language of the war exclusion of the policies, the history of how war exclusions have been interpreted in the past, and the nature of the all-risk policy, the trial court concluded that the cyberattack could not be excluded. The trial court’s decision was affirmed in May 2023 by a state appellate court.
The language of war exclusion did not include any reference to cyberwarfare or cyberattacks and the insurers failed to demonstrate that the NotPetya cyberattack on Merck was a hostile or warlike action, therefore the war exclusion did not apply and Merck was entitled to recover approximately $700 million of its losses. Ultimately, if the insurers had wanted to exclude certain types of cyberattacks from their coverage, they should have included language to that effect in their policies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The insurers challenged the decision of the appellate court and sought to have the decision reversed by a New Jersey Supreme Court; however, this month, they decided to drop the appeal and reached a settlement with Merck over the claims. Had the case been resolved through the courts in the insurers’ favor, a legal precedent would have been set that would have had implications for all cyber insurance claims; however, since the legal challenge has been resolved with a confidential settlement, that is not the case. That said, insurers are likely to tighten up the language of their policies to make it clear exactly what types of cyberattacks will and will not be covered by their policies.
