Merck entitled to $1.4B in cyberattack case after court rejects insurers' 'warlike action' claim

Merck may finally be entitled to a hefty insurance payout from the high-profile NotPetya cyberattack—if an appeals court ruling stands.

A New Jersey appellate court on Monday ruled that a group of insurers can’t use war as an argument to deny Merck coverage from the notorious cyberattack that afflicted the company and others back in 2017.

Upholding a prior ruling, the appeals court said in an opinion (PDF) that the “hostile/warlike action” exclusion clause shouldn’t be applied to a cyberattack on a non-military company—even if it originated from a government or sovereign power. In this case, the hack was tied to Russia as part of its aggression against Ukraine, according to U.S. officials.

The Superior Court of New Jersey previously granted Merck a $1.4 billion payout after the pharma company sued its insurers who had denied coverage for the NotPetya attack. In appeal, eight insurers disputed nearly $700 million in coverage, or about 40% of the total Merck had in its property insurance program at the time.

The case stemmed from a ransomware attack Merck suffered in June 2017 on the eve of Ukraine’s Constitution Day. The NotPetya malware was delivered into an accounting software developed by a Ukrainian company that was used by Merck and other companies, according to the court’s description of events. More than 40,000 machines in Merck’s global network were infected.

The U.S. government later attributed the attack to Russia’s military intelligence operations and charged six Russian officers in connection with the event.

Pointing to Russian military involvement, Merck’s insurers invoked the hostile/warlike action exclusion clause in their policies and refused to cover the company’s losses.

In the appellate court’s opinion, a panel of three judges argued that the insurers employed an overly broad interpretation of the exemption. The insurance companies contended that any state-backed action that “reflects ill will or a desire to harm” falls within the “hostile/warlike action” exclusion. But the judges said they “stretched the meaning of ‘hostile’ to its outer limit.”

The NotPetya attack “is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider,” the judges wrote in their opinion.

Beyond the Merck case, the healthcare industry remains a top target for cyberattacks. A 2021 report from the U.S. government found that healthcare accounted for nearly a quarter of cyberattack events in 2020, the most of all industries.

Just last month, German biotech Evotec had to shut down its network to cope with a cyberattack. India’s Sun Pharma disclosed an IT security breach in March. Novartis was reportedly the victim in an extortion malware attack last year.