Insurers Must Pay Merck's $1.4B Losses For NotPetya

Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled and Merck may now be entitled to a large insurance payout from the high-profile NotPetya cyber attack provided an appeals court ruling stands.

The appellate court in New Jersey has ruled that insurance companies must pay more than $1.4 billion to cover losses incurred when Merck’s systems became infected with NotPetya malware in 2017. The court ruled that the war exclusions the insurance companies were invoking in a bid to deny coverage did not apply in the case of the cyber attack.

The case stemmed from a ransomware attack Merck suffered in June 2017 on the eve of Ukraine’s Constitution Day. The NotPetya malware was delivered into an accounting software developed by a Ukrainian company that was used by Merck and other companies, according to the court’s description of events. More than 40,000 machines in Merck’s global network were infected.

The U.S. government later attributed the attack to Russia’s military intelligence operations and charged six Russian officers in connection with the event.

Pointing to Russian military involvement, Merck’s insurers invoked the hostile/warlike action exclusion clause in their policies and refused to cover the company’s losses.An appellate court recently officially rejected an argument by the insurers for Merck & Co. that they are not liable for the pharmaceutical giant's $1.4 billion in losses following a 2017 cyber attack because the incident fell under exclusions for acts of war.

The New Jersey appellate court judges said that in order for a cyber attack to fall under any type of war exclusion it must involve military action. 

The Russian-backed NotPetya malware was found to be behind the cyberattack, and since Merck's Ukraine operations were initially targeted, insurers claimed the breach was an extension of military hostilities following Russia's invasion of Ukraine. "The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action," the judges explained in their ruling.  "Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit."

Covington & Burlington LLP:    Law360:    Dark Reading:    Bloomberg:    Fierce Pharma:   SANS:   The Register:  

You Might Also Read: 

Insurers Will Exclude Some Nation-State Cyber Attacks From Cover:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Challenges For CTOs In 2023
Malware Disguised As Legitimate Android Apps »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

Viasat

Viasat

Viasat is a provider of high-speed satellite broadband services and secure networking systems covering military and commercial markets.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

TOAE Security

TOAE Security

TOAE Security is a trusted cyber security consulting partner helping today's leading organizations protect their most important assets from evolving cyber threats.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

Tokio Marine HCC

Tokio Marine HCC

Tokio Marine HCC is a leading specialty insurance group with a Financial and Professional product line including Tech and Cyber.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

Intel

Intel

Intel products are engineered with built-in security technologies to help protect potential attack surfaces.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

Cyber Security Works (CSW)

Cyber Security Works (CSW)

Cyber Security Works is your organization’s early cybersecurity warning system to help prevent attacks before they happen.

Centroid

Centroid

Centroid is a cloud services and technology company that provides Oracle enterprise workload consulting and managed services across Oracle, Azure, Amazon, Google, and private cloud.

SecurEnvoy

SecurEnvoy

SecurEnvoy are a leader in designing zero access trust solutions using the latest cutting-edge technologies, to protect your users, devices and data, whatever the location.

Cybervergent

Cybervergent

Cybervergent (formerly Infoprive) are a leading cybersecurity technology company in Africa. We provide cybersecurity guidance and solutions that help protect your business.

Xiphera

Xiphera

Xiphera designs and implements proven cryptographic security for embedded systems.

RPost

RPost

RPost is the global leader in premium (yet affordable) electronic signature and cybersecurity services, and we’ve been continuously innovating for our customers the world over since 2000.