Merck wins cyber-insurance lawsuit related to NotPetya attack

A New Jersey court has ruled in favor of Merck in a lawsuit the pharmaceutical company filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack.

The NotPetya incident, which took place in June 2017 and impacted thousands of companies all over the world, destroyed data on more than 40,000 Merck computers and took the company months to recover.

Merck estimated the damage at $1.4 billion, a loss caused by production outage, costs to hire IT experts, and costs of buying new equipment to replace all affected systems.

At the time, the company had a $1.75 billion "all-risk" insurance policy, which included coverage for software-related data loss events.

However, Ace American refused to cover the losses, citing that the NotPetya attack was part of Russian hostilities against Ukraine and, as a result, was subject to the standard "Acts of War" exclusion clause that is present in most insurance contracts.

Merck sued Ace American in November 2019 and argued in court that the attack was not "an official state action," hence the Acts of War clause should not apply.

Merck's lawyers said that the exclusion clause contained language that limited the Acts of War to official government agencies and did not specifically mention cyber-related events; and, as a result, the clause should not apply to their customer.

In a ruling last month, spotted by Lexology, the New Jersey Superior Court has sided with Merck and its strict interpretation of the Acts of War clause.

"Given the plain meaning of the language in the exclusion, together with the foregoing examination of the applicable caselaw, the court unhesitatingly finds that the exclusion does not apply," Judge Thomas J. Walsh wrote in an opinion justifying the ruling.

The judge argued that despite knowing that cyber-attacks can be acts of war, Ace American also did not move to update the language in its exclusion clauses.

"Certainly they had the ability to do so," Judge Walsh said about Ace American. "Having failed to change the policy language, Merck had every right to anticipate that the exclusion policy applied only to traditional forms of warfare."

Reached out for comment on last month's ruling, a Merck spokesperson said that as a matter of policy, they do not comment on legal matters. An Ace American spokesperson did not return a request for comment.

The case, while not a matter of mainstream news, has had a huge impact on the insurance business, and several insurers in recent years have moved to update the language of their Acts of War exclusion clauses, with the latest being Lloyd's, which updated its language just days before the court's ruling.

"The NJ Superior Court decision (in favor of Merck) reinforces that legacy insurance has a serious problem: responding to cyber events with non-cyber policies that fail to take the nuances of cyber risk into account results in unnecessary damages," Catherine Lyle, Head of Claims at Coalition, told The Record in an email earlier this week.

"Merck wasn't the first to learn this from the fallout of the NotPetya attacks (we also saw this happen to Mondelez); they're just the latest example," she added.

But Ace American (Merck case) and Zurich Insurance (Mondelez case) are not the only classic insurance companies that are getting sued and losing in court when they refuse to cover costs related to cyber-security incidents.

Melissa Krasnow, a privacy partner at VLP Law Group LLP, highlighted several other litigation cases related to cyber-attacks and their coverage in an email conversation with The Record earlier this week. This also included the case of a screen-printing business, which won in court against its insurer the right for damages even if the ransomware attack didn't completely cripple its business and it could still cater to customers.

"The Merck case is distinguished by the significant cyber attack and amounts involved," Krasnow said.

These recent lawsuits are among the factors contributing to a general change in the cyber-insurance market, where contract language is getting a major overhaul and insurance premiums are rising in order to make sure insurers can cover the damages by an ever-increasing number of cyber-attacks.

Krasnow urged companies to find out how their cyber liability insurance coverage is or will be impacted by the recent developments and if the language in some contracts may exclude some incidents from coverage.

"For businesses moving forward, the implications are clear: old-school thinking from legacy insurers, combined with policies built on bad wording and underwriting, will leave them unprotected from major cyber risks," Lyle said.