Cyber Insurance , Governance & Risk Management , Legislation & Litigation
Insurers Drop Bid to Exclude Merck's $1.4B NotPetya Claims
A Settlement Has Been Reached. So, How Might This Affect Similar Cases?A proposed settlement has been reached between Merck & Co. and several insurers that were appealing a 2023 court decision saying the insurance companies could not invoke "hostile warlike action" exclusions in refusing to pay the drugmakers' claims filed after the 2017 NotPetya cyberattack.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
So far, terms of the settlement have not been disclosed by the parties. But Merck alleged it suffered $1.4 billion in damages, including lost revenue, related to the CryptoLocker attack that affected about 40,000 of the company's computers.
Merck's insurers denied coverage for the claim based upon a war exclusion, contending that Russia had launched the NotPetya malware as part of its ongoing conflict with Ukraine.
Last May, a three-judge panel on the New Jersey Appellate Division upheld a lower state court ruling that Merck is entitled to reimbursement for its NotPetya costs under its "all risks" property insurance policies (see: Merck's Win in NotPetya Insurance Dispute: What It Means).
But several insurers appealed that ruling and were slated to begin oral arguments to the New Jersey Supreme Court on Thursday. Instead on Wednesday, they asked the court to dismiss their appeals.
Court documents show the insurers dismissing their appeals include Aspen Insurance UK Limited, National Union Fire Insurance Company of Pittsburgh and HDI Global Insurance Company.
An attorney representing the insurers in their dismissed appeal declined Information Security Media Group's request for comment and for details about the settlement.
Merck did not immediately respond to ISMG's request for comment.
Insurance attorney Peter Halprin, a partner of law firm Haynes Boone, which is not involved in the Merck cases, said the settlement is significant for a number of reasons.
"The settlement is likely to leave intact the appellate court ruling, affirming the trial court's decision, that the hostile/warlike exclusion does not apply to Merck's losses," he said.
"Given the strong precedent established by the appellate court, the insurers likely decided that their chances of success on appeal did not merit a further fight. With this precedent intact, insurers will have to accept that courts are unlikely to be receptive to arguments that similarly worded exclusions apply to cyberattacks."
Global Fallout
A barrage of NotPetya attacks launched in June 2017, affected several companies worldwide besides Merck.
Danish shipping giant A.P. Møller - Maersk - lost up to $300 million as a result of the NotPetya global malware outbreak. Snack food company Mondelez submitted a claim for about $100 million in losses with Zurich Insurance, which eventually settled the case in 2022. Total damages attributed to NotPetya are commonly estimated at about $10 billion worldwide.
For Merck, the effect of the attack was almost immediate. Within 90 seconds of the initial infection, approximately 10,000 machines in Merck's network became infected - and that number would ultimately more than quadruple.
Federal prosecutors in 2020 indicted six Russian military officers in connection with NotPetya and other hacking incidents (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?).
A Kremlin spokesman in 2018 disputed NotPetya's Russian attribution, telling media that attributions to Moscow amounted to a "Russophobic campaign."