Merck's Win in NotPetya Insurance Dispute: What It MeansPharma Giant Insurers Had Denied Coverage for Malware Attack Under 'War' Exclusions
Pharmaceutical giant Merck's insurers must cover company losses from the 2017 NotPetya malware attack, a New Jersey state appeals court ruled, finding that underwriters can't invoke an exclusion for hostile or warlike action.
The decision by a three-judge panel on the New Jersey Appellate Division on Monday upholds a lower state court ruling that Merck is entitled to reimbursement for NotPetya costs under its "all risks" property insurance policies.
Several of Merck's insurers, including Ace American Insurance, Allianz Global, Liberty Mutual, Zurich American Insurance and Lloyd's of London, appealed the ruling. At issue is nearly $700 million in coverage.
A wave of NotPetya cryptolocker attacks began in June 2017, originating in an update to an accounting application widely used in Ukraine. The malware spread across the globe, and total damages are commonly estimated at around $10 billion. Within 90 seconds of the initial infection, approximately 10,000 machines in Merck's network became infected - a number that would ultimately more than quadruple.
Federal prosecutors in 2020 indicted six Russian military officers in connection with NotPetya and other hacking incidents (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?).
A Kremlin spokesman in 2018 contested the malware's Russian attribution, telling media that attributions to Moscow amounted to a "Russophobic campaign."
Insurance companies conceded that a "warlike" exclusion for the NotPetya incident might not be applicable. The three-judge panel said the word "hostile" also isn't applicable to the NotPetya incident.
"The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will," wrote Superior Court Judge Heidi W. Currier in the unanimous decision.
The most immediate impact of the ruling "will be on cases involving the same exclusionary language. However, the broader message is that insurers must clearly identify the risks that they wish to exclude if they do not want to cover those risks," Peter Halprin of the law firm Pasich, told Information Security Media Group.
Merck is not the only NotPetya victim to have battled their insurers for coverage payouts in the aftermath of the attack.
Mondelez International - maker of Oreo cookies, Ritz crackers and Tang fruit-flavored powder - sued Zurich Insurance Group in 2018 after the firm refused the food manufacturer's claim under an all-risk property policy of at least $100 million in damages stemming from the NotPetya malware wave.
The two parties settled their dispute last October just before closing arguments were set to start in a jury trial already in its second week.
Liberty Mutual, Zurich and Allianz Global declined ISMG's request for comment on the New Jersey appellate court ruling.
Merck and other insurers involved in the dispute did not immediately respond to ISMG's request for comment.