Merck Settles With Insurers Over $700m NotPetya Claim

Merck has finally reached a settlement with its insurers after they had refused to pay out following the NotPetya campaign due to a cyber-warfare policy exclusion.

The pharmaceuticals giant claimed it was entitled to around $700m from its carriers after the 2017 attacks, which are believed to have infected tens of thousands of its machines with destructive malware disguised as ransomware.

Last year, a New Jersey state appellate court ruling agreed with Merck, and a previous court decision, stating that a clause exempting the insurers for “acts of war” only applies to traditional forms of warfare.

Russia is believed to have been behind the NotPetya attacks, which targeted Ukrainian government institutions with infected software updates but quickly spread to private sector businesses in the country and then to their headquartered facilities abroad.

Read more on cyber-insurance: Only 30% of Cyber-Insurance Holders Say Ransomware is Covered

According to Bloomberg Law, the settlement last week came just before the start of oral arguments in a New Jersey Supreme Court review of the dispute. This may finally have set a legal precedent to clarify the situation and benefit organizations taking out “all risks” property insurance policies.

Whether state-backed cyber-campaigns like NotPetya can be described as acts of war is a matter hotly contested by legal scholars.

Confectionary giant Mondelez settled with insurance provider Zurick back in 2022 after the latter denied it a $100m payout following NotPetya on similar grounds.

In the meantime, the insurance sector has been scrambling to add clarity to policies when it comes to cyber-related risk.

Also in 2022, Lloyd’s of London released four new cyber war and cyber operation exclusion clauses, broadening the definition of what can be excluded from coverage for “state-backed cyber-attacks.”

It’s believed that NotPetya caused $1.4bn in losses at Merck.

Image credit: G.Tbov / Shutterstock.com