Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Merck $1.4 Billion Cyberhack Settlement Ends ‘Warlike’ Act Claim

Merck’s $1.4B NotPetya Insurance Claim Settlement

Executive Summary

Merck & Co., Inc., a global pharmaceutical leader, recently concluded a significant Insurance Claim Settlement. This resolution, Bloomberg Law reported first, relates to the NotPetya cyberattack in 2017. It is worth around $1.4 billion.

The settlement, reached shortly before a potentially important court review, stops the establishment of a nationwide standard in cyber insurance for acts classified as ‘warlike’.

About NotPetya

NotPetya is a destructive piece of malware that caused widespread damage in 2017. It destroyed the Master File Table (MFT) and the Master Boot Record (MBR), crippling the infected systems. Experts determined NotPetya was wiper malware, designed more for sabotage than for financial gain.

The malware spread quickly across systems, accessing admin credentials. It infected organisations in various sectors including finance, transportation, energy, commercial facilities, and healthcare sectors.

Merck was among the organisations severely impacted by this cyberattack. Originating from Russia, this malware targeted about 40,000 Merck computers.

Merck’s Insurance Fight

After the attack, Merck filed a massive $1.4 billion insurance claim under its general risks policy.

The NotPetya attack was considered by many cyber security experts as an act of silverware against Ukraine, however, it caused billions of dollars of losses to organizations worldwide. These organizations were not the real targets of the attack, and insurers claimed that the damage was caused by an act of war explicitly excluded by the insurance.

However, in January 2022, the New Jersey Superior Court ruled in favour of Merck. This decision, which was later supported by the higher court, stated that the ‘act of war’ clause was not applicable. This was a pivotal moment in the insurance industry.

The Settlement

The Insurance Claim Settlement occurred just before a scheduled New Jersey Supreme Court hearing. While the terms remain confidential, this settlement has significant implications for the cyber insurance market. Furthermore, it leaves unresolved the larger question of defining cyberattacks in the context of ‘warlike’ actions in insurance policies.

In another case related to the NotPetya attacks, the food giant Mondelez reached a settlement with insurer Zurich in 2022. The settlement was reached after Zurich initially denied a $100 million claim based on similar grounds.

Closing Comments

In summary, the Merck NotPetya case underlines complexities in cybersecurity insurance. With rising cyber incidents, insurers must evolve to address these unique challenges. This might involve considering a company’s cybersecurity measures in place.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.