Merck, insurers settle case over losses from 2017's NotPetya cyberattack

By Erin Ayers, Front Page News

Pharmaceutical giant Merck and its slate of insurers have settled the case of whether an exclusion for “hostile” or “warlike” action could be applied to losses stemming from a 2017 cyberattack, according to reports.

In May 2023, a New Jersey appeals court ruled in favor of Merck in Merck & Co., Inc.  v. ACE American et. al, finding that the property policies in the case included a war exclusion with no mention of cyber warfare and the NotPetya event did not rise to the level of an act of war since no military action was involved. The appellate decision upheld a January 2022 lower court ruling.

Insurers appealed the case to the Supreme Court of New Jersey and oral arguments were scheduled for Jan. 4. Sources told Front Page News the record in the appeal pending before the state’s highest court had been sealed in the weeks leading up to oral arguments. The terms of the final settlement, first reported by Bloomberg, have also not been disclosed.

Background

On June 27, 2017, a destructive malware attack swept the globe striking dozens of corporations, among them Merck, food conglomerate Mondelez International, shipping firm Maersk, and more. Multiple nations attributed the attack to the Russian government as part of an attempt to disrupt Ukraine’s government and businesses.

A U.S. federal grand jury later charged six officers in the Russian Main Intelligence Directorate (GRU) over NotPetya and other cyberattacks. NotPetya is estimated to have caused over $10 billion in economic losses.

At the time of the event, Merck held 26 all-risk property policies with a tower of insurers including units of Chubb, AIG, Allianz, Liberty Mutual, QBE, and several Lloyd’s syndicates and limits of $1.75 billion. Merck estimated the damage from the NotPetya event spread to 40,000 computers with financial losses of more than $1.4 billion.

Prior to the appeals court’s May 2023 decision, several of Merck’s insurers had already resolved claims, leaving just eight insurers and just under $700 million in coverage up for dispute.

Impact

Had the New Jersey Supreme Court ruled on the yearslong issue, it would have provided additional guidance for how traditional war exclusions on property policies stand up to modern cyber warfare or state-sponsored cyberattacks. Another similar case between Zurich Insurance and Mondelez settled out of court in October 2022, leaving only the two state court rulings in Merck in the body of caselaw.

The New Jersey superior court noted in its January 2022 ruling that the existing language, which excludes “loss or damage caused by hostile or warlike action in time of peace or war” by any government or sovereign power does not contemplate cyberattacks even though the insurers could have updated it to do so. The appellate court, in a lengthier opinion, stated that damages could only be excluded by the pertinent language if they involved military action.

“The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will,” the appeals court said at the time, adding, “Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various noncombatant customers, all wholly outside the context of any armed conflict or military objective.”

Since NotPetya occurred, the insurance industry has sought to eliminate ambiguities in policies, either excluding or affirming coverage for cyber events in traditional policies. The cyber insurance sector has also drafted updated language for state-sponsored cyberattacks and cyber warfare, with Lloyd’s of London now requiring exclusionary clauses for its syndicate firms and many non-Lloyd’s insurers also tightening their own terms. The Merck case addresses only all-risk property policies, not standalone cyber insurance policies.

The American Property Casualty Insurance Association (APCIA), which filed an amicus brief in the Merck case, cited cyber risk as “among the greatest global risks for insurers and the industry.” Reliable exclusions are a key part of mitigating that risk, according to the association.

“Insurers rely on proper application of an insurance contract exclusion for losses caused by ‘hostile or warlike action in time of peace or war’ to protect against aggregated and uninsurable risk,” said Claire Howard, APCIA’s senior vice president, general counsel and corporate secretary, in a statement provided to Front Page News. “This exclusion (and the protection it provides) is essential to the insurance market’s ability to underwrite cyber risk and to help policyholders defend against cyber threats while building resilience in the wake of cyberattacks.” 

Howard added, “Requiring insurers to continuously update broad policy exclusions whenever a new mode of activity is developed that is clearly encompassed within the plain terms but not specified by name would eviscerate many exclusions for which the language was designed to stand the test of time.”

Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com