Merck, the New Jersey-based pharmaceutical giant, faced a massive outage when the NotPetya malware infected more than 40,000 of its computers. Initially targeting Ukrainian accounting software, the malware has spread worldwide, causing significant work paralysis. The attackers behind this devastating cyberattack are believed to be linked to the Russian government.
This case became pivotal in shaping the narrative around the term “act of war” in the cyber context. Merck’s insurers initially rejected the claim, citing a war exclusion clause that exempted them from paying for losses caused by hostilities. The widespread impact of malware and its alleged connection to state-sponsored activities have called this exclusion into question.
In early 2022, a New Jersey state court ruled that the war exclusion did not apply in this scenario. Despite the insurers’ appeal, the settlement was reached shortly before the New Jersey Supreme Court was scheduled to hear oral arguments, according to Bloomberg Law. This legal battle shed light on the development of the incident and the increasing involvement of state actors in illegal cyber activities.
In its initial ruling in Merck’s favor, the court noted that despite changes in the cyber environment and growing state involvement in illegal activity, “the language used in this insurance policy has changed little over the years.” It was clear that both sides were aware of the rampant cyber attacks that take many forms, sometimes from the private sector and sometimes from state actors. However, insurers have not changed the wording of the policy to reasonably notify the policyholder of their intention to exclude cyber attacks.
The agreement is a reference point in determining the parameters of insurance claims related to cybernetic means. After the NotPetya attack, steps were taken to clarify the types of attacks that fall under the exclusion. In 2022, London-based insurance behemoth Lloyd’s announced that insurers will not cover state-sponsored cyber attacks related to war or incidents that significantly impair the functioning of the state, unless expressly excluded.
In a related case, food conglomerate Mondelez settled with Zurich Insurance in 2022 for a $100 million claim that was dismissed on the same grounds as the Merck case.
The settlement between Merck and its insurers over the NotPetya cyber attack marks a milestone in the evolving field of cyber risk management and insurance. This precedent suggests that the insurance industry may need to develop more detailed policies that take into account the complexity of modern cyber warfare and its consequences.