Data Security, Incident Response, Malware

Merck insurer ordered to pay $1.4B in NotPetya attack, court rules

Share
The Merck logo is seen on the side of a building

In what’s been heralded as a major win for insurance policy holders, a New Jersey appellate court upheld a January 2022 ruling in favor of Merck and ordered its insurance carrier to help cover losses the pharmaceutical giant suffered during the 2017 global NotPetya cyberattack.

The Superior Court of New Jersey Appellate Division judge upheld an earlier judgment against Ace American Insurance, finding the insurers didn’t demonstrate the cyberattack was hostile or warlike, as required by the exclusion clauses of Merck’s policy.

“Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various noncombatant customers, all wholly outside the context of any armed conflict or military objective,” according to the decision.

“But that approach would conflict with our basic construction principles requiring a court to narrowly construe an insurance policy exclusion,” it continued. The specific, plain, clear, and prominent meaning of, and the clear import and intent of, a word or phrase in an exclusion does not equate to its broadest possible interpretation, but rather its narrowest.”

The case stemmed from the fallout suffered by Merck during the NotPetya incident. The lawsuit shows that “within 90 seconds of the initial infection, approximately 10,000 machines in Merck's global network were infected,” with about 20,000 more machines infected within five minutes. In total, more than 40,000 machines in the pharmaceutical giant's network were infected.

The company suffered an estimated $1.4 billion in losses tied to production disruptions, manufacturing outages, third-party cyber firm fees, and the cost to replace each impacted system.

At the time of the cyberattack, Merck held a $1.75 billion all-risk policy with Ace American with inclusions for events that led to software data loss. However, the insurer refused to pay, citing an “Acts of War” inclusion clause as NotPetya was caused by a Russian-backed cyberattack against Ukrainian entities.

The clause is present in the majority of insurance policies, but Merck argued the exclusion did not apply as the impacts it suffered were not caused by a nation-state cyberattack.

The initial August 2018 lawsuit filed by Merck noted the exclusion clause only pertained to official government attacks and did not refer to cyber-related incidents.

A December 2021 decision by the New Jersey Superior Court “unhesitatingly” granted Merck’s motion for partial summary judgment, determining the hostile/warlike action exclusion didn’t apply to exclude coverage for Merck's losses caused by NotPetya and ruled against Ace American. The insurer later appealed, asserting the trial court got it wrong.

The argument in favor of Merck contended that “accepting the insurers' interpretation of the hostile/warlike exclusion ‘would operate to change the settled meaning of war exclusions and ... also threaten to undo the policy interpretation rules that local governments have historically relied upon’ to ensure adequate insurance coverage.”

This week’s decision puts an end to a drawn out legal battle, requiring Ace American to cover Merck’s incurred damages.

The “decision is an important win for policyholders who continue to seek, and pay substantial premiums for, certainty with respect to their insurance coverage in the face of these oft-uncertain cyberattacks,” David Cummings, partner of Reed Smith, who represented policyholders, told SC Media in an email.

“In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations,” he added.

Namely, the decisions confirmed that the plain language used in warlike or hostile exclusions can’t “reasonably be interpreted as encompassing a cyberattack on a non-military company” and to companies providing services to customers outside of the military, explained Cummings. 

In short, “the mere presence of hostile or warlike action is not enough.” For Cummings, the “decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.