Merck reaches settlement with insurers who denied $700 million NotPetya claim

esteria.white

Pharmaceutical giant Merck has reportedly reached an agreement with insurers over their refusal to cover losses resulting from the NotPetya cyberattack in 2017.

The undisclosed settlement, first reported by Bloomberg Law, is the culmination of a years-long legal battle that has attracted attention from the cybersecurity and insurance industries because of its implications for the definition of what constitutes “acts of war.” in the cybernetic context.

Following the NotPetya attacks, New Jersey-based Merck was denied nearly $700 million in coverage by its insurers because of a clause waiving the insurer’s liability for “acts of war “. The malware, which infected more than 40,000 machines in the Merck network, first targeted Ukrainian accounting software before disrupting businesses globally, and it is believed to have been planted by Russian government agents.

In early 2022, a New Jersey court governed that the war exemption did not apply to the case – a decision that was upheld in an appeals court last year. The insurers appealed once again, but according to Bloomberg Law, a “last minute” settlement was reached just before oral arguments began before the New Jersey Supreme Court.

In its initial ruling in favor of Merck, the court noted that although the cyberspace landscape has changed – with state actors increasingly involved in nefarious activities – “the evidence suggests that the language used in these policies has been virtually the same for many people. years.”

“It goes without saying that both parties to this contract are aware that cyberattacks in various forms, sometimes emanating from private sources and sometimes emanating from nation states (,) have become more common,” the court wrote. “Despite this, the insurers have done nothing to modify the language of the exemption to reasonably inform this insured of its intention to exclude cyberattacks.”

Since the NotPetya attacks, some steps have been taken to clarify what types of attacks are subject to exemptions. Insurance market giant Lloyd’s of London announced in 2022 that insurers would be required to exclude coverage for state-sponsored cyberattacks related to war and incidents that “significantly harm a state’s ability to function.”

In another case arising from the NotPetya attacks, food giant Mondelez settled with the insurer Zurich in 2022 for denying a $100 million claim on similar grounds.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

James Reddick

James Reddick has worked as a journalist around the world, including in Lebanon and Cambodia, where he was deputy editor of the Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.

Leave a comment