Merck Awarded $1.4B Insurance Payout over NotPetya Attack

Court rules ‘War or Hostile Acts’ exclusion doesn’t apply to the pharma giant’s 2017 cyberattack.

Unsealed court records show pharmaceutical giant Merck was awarded a $1.4 billion payout last month on its property insurance policy, for losses the company suffered because of the 2017 NotPetya cyberattacks.

Merck’s cyber-insurance company, International Indemnity, was claiming the losses fell under the “War or Hostile Acts” exclusion. That’s because in Oct. 2020, the U.S. Department of Justice charged six Russian nationals with the NotPetya attacks with alleged ties to Russian military intelligence.Password Management Webinar

The Superior Court of New Jersey ruled the exclusion was “inapplicable.”


Merck’s $1.75 billion property insurance policy will have to cover the damage the NotPetya attacks did to the company’s 40,000 computers, totaling more than $1.4 billion, according to the court filing.

The ruling also explains that any “ambiguity” in the language of an insurance policy should, by legal precedent, be interpreted to meet the “reasonable expectations” of the policy holder.

Insurance Policy Language

Insurance companies are already tightening up policy language to stave off nation-state cybersecurity claims.

Lloyds of London recently took measures to hedge against cybersecurity claims, announcing last November that it will no longer cover “cyber-war” losses, which the company specifically defined as retaliatory attacks between nation-states with a “… major detrimental impact on the functioning of a state.”

Other insurers are likely to follow, according to infosec industry watchers.

“In just four years since 2017, cyber insurance has progressed dramatically,” Jack Kudale, CEO of Cowbell Cyber told Threatpost in reaction to the ruling. “Critical elements needed to modernize the approach and achieve full alignment between policyholders and their insurers include standardization of coverages, clarification of terms, advanced and continuous assessment of cyber-risk, and transparency in the underwriting process.”

Many across the infosec industry have long argued that cyber-insurance isn’t a long-term solution from a business, or cybersecurity perspective.

“The growth of ransomware is pushing the financial boundaries of insurance companies, so they’ve been looking for escape hatches,” Netenrich threat hunter John Bambenek told Threatpost by email. “‘Act of war’ clauses are common in insurance contracts, but only in cybersecurity is there any real risk of that. Organizations will have to bake in this gap into their risk-mitigation plans, but the answer to cybersecurity has never been ‘more insurance’ anyway.”


Suggested articles