Merck's high-profile and costly cyberattack may have been nearly half a decade ago, but the incident's legal ramifications are still playing out. Merck and its insurers have been battling over $1.4 billion in losses from the attack, and, earlier this week, the pharma giant scored a legal victory in that fight.
After filing a lawsuit in August 2018 seeking to reclaim financial losses from the "NotPetya" incident, Merck and its insurers have been at odds over whether the attack should be covered. Merck's insurers have said that since the cyberattack originated from the Russian government as part of its hostility toward Ukraine, the losses should be subject to an "act of war" exclusion. Merck has taken the opposite stance.
This week, New Jersey Superior Court Judge Thomas J. Walsh concluded that the act of war exclusion doesn't apply, Bloomberg reports, because it's intended for actual armed conflict.
Citing the "the plain meaning of the language in the exclusion," plus earlier case law, the court "unhesitatingly" found that the act of war exclusion "does not apply," he wrote. Both sides are aware that cyberattacks from various sources have "become more common," the judge wrote, but the insurers didn't change their contract language to inform Merck that cyberattacks would be excluded.
"Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare," the judge wrote.
The ruling applies only on the issue of whether the coverage exclusion should factor in the case; the court didn't order any payments. But it's a win for Merck in the long-running litigation tied to its June 2017 cyberattack.
As a result of the attack, Merck suffered significant financial losses as the illicit software spread to tens of thousands of company computers and resulted in a disruption of "worldwide operations including manufacturing, research and sales operations," the company said in a subsequent annual report.
In February 2018, the White House said Russia conducted the attack as "part of the Kremlin’s ongoing effort to destabilize Ukraine," resulting in collateral damage to Merck and other companies.
Since the attack, Merck and others in the pharmaceutical industry have placed a growing emphasis on cybersecurity. In a 2020 annual report, the company said it "has implemented a variety of measures to further enhance and modernize its systems to guard against similar attacks in the future and also is pursuing an enterprise-wide effort to enhance the company's resiliency against future cyberattacks including incidents similar to the 2017 attack."