Insurers Must Pay Merck's $1.4B Losses For NotPetya

Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled and Merck may now be entitled to a large insurance payout from the high-profile NotPetya cyber attack provided an appeals court ruling stands.

The appellate court in New Jersey has ruled that insurance companies must pay more than $1.4 billion to cover losses incurred when Merck’s systems became infected with NotPetya malware in 2017. The court ruled that the war exclusions the insurance companies were invoking in a bid to deny coverage did not apply in the case of the cyber attack.

The case stemmed from a ransomware attack Merck suffered in June 2017 on the eve of Ukraine’s Constitution Day. The NotPetya malware was delivered into an accounting software developed by a Ukrainian company that was used by Merck and other companies, according to the court’s description of events. More than 40,000 machines in Merck’s global network were infected.

The U.S. government later attributed the attack to Russia’s military intelligence operations and charged six Russian officers in connection with the event.

Pointing to Russian military involvement, Merck’s insurers invoked the hostile/warlike action exclusion clause in their policies and refused to cover the company’s losses.An appellate court recently officially rejected an argument by the insurers for Merck & Co. that they are not liable for the pharmaceutical giant's $1.4 billion in losses following a 2017 cyber attack because the incident fell under exclusions for acts of war.

The New Jersey appellate court judges said that in order for a cyber attack to fall under any type of war exclusion it must involve military action. 

The Russian-backed NotPetya malware was found to be behind the cyberattack, and since Merck's Ukraine operations were initially targeted, insurers claimed the breach was an extension of military hostilities following Russia's invasion of Ukraine. "The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action," the judges explained in their ruling.  "Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit."

Covington & Burlington LLP:    Law360:    Dark Reading:    Bloomberg:    Fierce Pharma:   SANS:   The Register:  

You Might Also Read: 

Insurers Will Exclude Some Nation-State Cyber Attacks From Cover:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Challenges For CTOs In 2023
Malware Disguised As Legitimate Android Apps »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Zayo

Zayo

Zayo is a leading global bandwidth infrastructure services provider for high-performance connectivity, secure colocation and flexible cloud services.

SureCloud

SureCloud

SureCloud is a Governance, Risk and Compliance (GRC) and Cybersecurity Solutions provider.

DirectDefense

DirectDefense

DirectDefense is an information security services and managed services provider.

Bridewell

Bridewell

Bridewell provide cost effective Security & Risk Assurance Services across Information Security, Cyber Security, Technology Risk, Security Testing and Data Privacy.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Zeusmark

Zeusmark

Zeusmark are a digital brand security company. We enable companies to successfully defend their brands, revenue and consumers online.

Collins Aerospace

Collins Aerospace

Collins Aerospace provides cybersecurity services and systems to protect critical infrastructure facilities and railroad operations.

Calypso AI

Calypso AI

Calypso AI build software products that solve complex AI risks for national security and highly-regulated industries.

RevBits

RevBits

RevBits provides high-performance cybersecurity solutions including email security, endpoint security, deception technology and PAM solution to enterprise companies and public sector organizations.

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

Motiv ICT Security

Motiv ICT Security

Motiv is the ICT security specialist that provides public and private sector organisations with IT security solutions and services to prevent cybercrime, data theft and data breaches.

GovernmentCIO

GovernmentCIO

GovernmentCIO was founded with a single purpose: to transform government IT. We are thought leaders in data analytics, machine learning, cybersecurity and IT transformation.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

HazeGrayCyber

HazeGrayCyber

HazeGrayCyber offers comprehensive technical services to bring your company to the next level.