Merck has struck up a settlement with insurers over its $1.4 billion NotPetya cyberattack claim, according to reports.
The US pharmaceutical giant made an eleventh-hour confidential agreement with insurers on Wednesday, putting a stop to a case that could have set a national cyber insurance precedent, Bloomberg Law first reported.
Twenty-six policies were originally at issue in the case, but by last May, when the appellate court delivered its ruling in Merck’s favor, just eight insurers accounting for around $700 million (or 40%) of coverage had yet to settle.
Insurers had previously sought to rely on war exclusions in the all-risks property policies to swerve paying out for billion dollar plus costs Merck faced as a result of the 2017 NotPetya malware attack.
However, the appellate court found in May that the “exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.”
“The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will,” it found.
The court’s stance has proved somewhat controversial among the insurance and legal communities.
The original decision, on which the appellate court ruled last May, had been criticized by Kennedys partners Joshua Mooney and Julia Selby as looking “backward to a century past”.
Haunted by the specter of systemic risk, insurers have moved to tighten policy wordings around cyber-attacks.
In 2020, Lloyd’s clamped down on silent cyber in all-risks policies.
Lloyd’s has further moved to require its standalone cyber market participants to include “suitable” clauses excluding liability for state backed cyber-attacks from March 2023, unless otherwise agreed.
The White House blamed a Russian action against Ukraine after the NotPetya malware made its way into systems worldwide in 2017, causing billions of dollars’ worth of damage.
Merck was just one victim, with businesses having been affected by the 2017 cyber incident across 65 countries.
Merck’s case, it took just 90 seconds for 10,000 of its machines across its global network to be infected. This doubled to 20,000 within five minutes, and overall more than 40,000 machines were bought down, according to court documents.
What’s your view on the Merck NotPetya cyber insurance case and how insurers are navigating cyber exposures? Leave a comment below.
