Merck Awarded $1.4 Billion for NotPetya After 5 Years of Legal Battle

NotPetya malware first cropped up on computers worldwide in June 2017, setting the stage for today’s ransomware attacks and ultimately causing $10 billion in damages globally.  
By: | May 8, 2022

NotPetya malware first cropped up on computers worldwide in June 2017, setting the stage for today’s ransomware attacks and ultimately causing $10 billion in damages globally.  

Linked back to Russia, the NotPetya attacks demonstrated to the world what kind of vulnerabilities must be monitored in order to remain cyber safe. 

It also sparked a reassessment of cyber insurance and what is actually covered. 

Pharmaceuticals company Merck had an all-risk policy issued by International Indemnity in 2017. At that time, the policy was not tailored to cyber needs, and the precedent of having a cyber policy proper had yet to become the insurance expectation.  

The NotPetya attack destroyed data on more than 40,000 Merck computers, which took the company months to recover. The resulting losses totaled $1.4 billion. 

When Merck turned to its insurer for coverage, however, it was denied. Merck took the insurer to court in a legal battle that lasted five years.  

In 2020, when the U.S. Department of Justice charged six Russian nationals with ties to the NotPetya attack, identifying the start of the attack as a means to undermine Ukraine, International Indemnity pointed to a “War or Hostile Acts” exclusion within the policy.  

The clause read, “Loss or damage caused by warlike action in time of peace or war, including action in hindering combating, or defending against an actual, impending, or expected attack … this policy does not insure against.” 

The insurer argued that the NotPetya attack was in fact an act of war and thus could not be covered under its policy. 

However, Merck argued, the cyber event itself was not an act of war per the definition outlined by the policy.  

The Superior Court of New Jersey agreed. In January 2022, the judge ruled in favor of Merck, saying that no combat or physical attack had occurred, therefore a war exclusion would not apply. 

Merck was awarded $1.4 billion. 

Scorecard: International Indemnity is on the hook for the $1.4 billion price tag of the NotPetya attack’s effect on Merck. 

Takeaway: Five years of litigation to recover such a substantial amount of loss is a long time, yet Merck is a prime example of a business willing to wait. Ransomware events are growing, and cyber exclusions alongside them. Protecting against cyber will require innovation at a great scale moving forward. &

Autumn Demberger is a freelance writer and can be reached at [email protected].

More from Risk & Insurance