Merck settles with insurers who denied $700 million NotPetya claim


Pharmaceutical giant Merck has reportedly reached a settlement with insurers over their refusals to cover losses stemming from the NotPetya cyberattack in 2017.

The undisclosed settlement, first reported by Bloomberg Law, is the culmination of a years-long court battle that has attracted attention from the cybersecurity and insurance industries because of its implications for defining what constitutes “acts of war” in the cyber context.

Following the NotPetya attacks, New Jersey-based Merck was denied nearly $700 million in coverage by its insurers because of a clause waiving insurer responsibility for “acts of war.” The malware, which infected more than 40,000 machines in Merck’s network, first targeted Ukrainian accounting software before disrupting companies globally, and is believed to have been planted by Russian government operatives.

In early 2022, a New Jersey court ruled that the warfare exemption did not apply to the case — a ruling that was upheld in appellate court last year. The insurers appealed once more, but according to Bloomberg Law an “11th-hour” settlement was reached just before oral arguments began at the New Jersey Supreme Court.

In its original decision in favor of Merck, the court noted that even as the landscape has shifted in cyberspace — with nation-state actors increasingly involved in nefarious activity — “evidence suggests that the language used in these policies has been virtually the same for many years.”

“It is also self-evident, of course, that both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states[,] have become more common,” the court wrote. “Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks.”

Since the NotPetya attacks, some measures have been taken to clarify which sorts of attacks are subject to exemptions. The insurance marketplace behemoth Lloyd’s of London announced in 2022 that underwriters would be required to exclude coverage for state-backed cyberattacks linked to war and incidents that “significantly impair the ability of a state to function.”

In another case arising from the NotPetya attacks, the food giant Mondelez settled with the insurer Zurich in 2022 over its denial of a $100 million claim on similar grounds.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

In AirTags stalking lawsuit, federal judge says Apple likely negligent

Next Post

Investigation of xDedic cybercrime site reaches ‘culmination,’ US says

Related Posts

TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to
Read More