Coverage for Merck's cyber insurance upheld in NotPetya case, interpreting as a win for policyholders
New Jersey Appellate Court Rules in Favour of Merck in Cyberattack Insurance Case
In a significant decision, the New Jersey appellate court has upheld a ruling in favour of Merck, a major pharmaceutical company, in a long-running dispute over car insurance coverage for the 2017 NotPetya cyberattack.
The ruling provides policyholders with 'a little more certainty when making claims,' according to legal experts. The court agreed that insurers could not deny coverage using war exclusion language contained in the policies, a decision that could make it easier for companies to get their claims covered if a forensic investigation finds a state-linked actor is connected to an attack.
Merck was affected by the cyberattack after downloading infected accounting software from a Ukrainian firm. The attack infected about 40,000 machines at Merck's network, causing disruption to sales, manufacturing, research, and development. The state-sponsored hacker group involved in the attack is known as Sandworm or APT28.
The ruling concerns claims of $1.4 billion stemming from the cyberattack. Merck's property insurance program included 'all risks' policies in a three-layer structure with a total limit of $1.75 billion and a $150 million deductible. However, the impact of the ruling on the remaining $699 million in claims, or about 40% of the company's total car insurance quotes coverage, was not specified in the current paragraph.
The remaining legal dispute involves more than $699 million in claims. A lawyer representing the insurance firms in the case declined to comment, while a spokesperson for Merck was not immediately available for comment.
The insurance industry has been working to standardize car insurance policy language over the last several years since the NotPetya attack, with some success. However, insurers have struggled to manage a surge in claims and demand for coverage in recent years, with some firms clamping down on state-linked cyber activity and others denying claims based on war exclusion language.
Michael Dion, VP, Senior Analyst at Moody's Investors Service, expected the ruling to be upheld, but suggested that insurers might attempt additional appeals to a higher court. He noted that the policy language in place during the 2017 NotPetya attack is different from the more stringent language used today, which defines what is covered and what is not covered, including what constitutes an act of war.
Fred Eslami, associate director at AM Best, stated that both the original and appeal decisions could have a positive impact on the insurance industry, encouraging them to update policy language and exclusions for new and emerging risks. He noted that the ruling is considered a victory for policyholders facing increased risk of attacks, particularly those dealing with state-linked cyber activity.
Read also:
- Goodyear in 2025: Advancement in Total Mobility through the Launch of Kmax Gen-3 by Goodyear
- Electric SUV Showdown: Vinfast VF6 or MG Windsor EV - Your Choice Revealed
- United States Secures $632 Million to Fuel Electric Vehicle Revolution
- IM Motors reveals extended-range powertrain akin to installing an internal combustion engine in a Tesla Model Y
