Merck settles with insurers who denied $700 million NotPetya claim

Pharmaceutical giant Merck has reportedly reached a settlement with insurers over their refusals to cover losses stemming from the NotPetya cyberattack in 2017.

The undisclosed settlement, first reported by Bloomberg Law, is the culmination of a years-long court battle that has attracted attention from the cybersecurity and insurance industries because of its implications for defining what constitutes “acts of war” in the cyber context.

Following the NotPetya attacks, New Jersey-based Merck was denied nearly $700 million in coverage by its insurers because of a clause waiving insurer responsibility for “acts of war.” The malware, which infected more than 40,000 machines in Merck’s network, first targeted Ukrainian accounting software before disrupting companies globally, and is believed to have been planted by Russian government operatives.

In early 2022, a New Jersey court ruled that the warfare exemption did not apply to the case — a ruling that was upheld in appellate court last year. The insurers appealed once more, but according to Bloomberg Law an “11th-hour” settlement was reached just before oral arguments began at the New Jersey Supreme Court.

In its original decision in favor of Merck, the court noted that even as the landscape has shifted in cyberspace — with nation-state actors increasingly involved in nefarious activity — “evidence suggests that the language used in these policies has been virtually the same for many years.”

“It is also self-evident, of course, that both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states[,] have become more common,” the court wrote. “Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks.”

Since the NotPetya attacks, some measures have been taken to clarify which sorts of attacks are subject to exemptions. The insurance marketplace behemoth Lloyd’s of London announced in 2022 that underwriters would be required to exclude coverage for state-backed cyberattacks linked to war and incidents that “significantly impair the ability of a state to function.”

In another case arising from the NotPetya attacks, the food giant Mondelez settled with the insurer Zurich in 2022 over its denial of a $100 million claim on similar grounds.