Skip to main content

Pharma giant Merck settles $1.4 billion cyberattack case | Insurance Business UK

Ruling would have set a cyber cover precedent in the US

Pharma giant Merck settles $1.4 billion cyberattack case


By Jen Frost

Merck has struck up a settlement with insurers over its $1.4 billion NotPetya cyberattack claim, according to reports.

The US pharmaceutical giant made an eleventh-hour confidential agreement with insurers on Wednesday, putting a stop to a case that could have set a national cyber insurance precedent, Bloomberg Law first reported.

Twenty-six policies were originally at issue in the case, but by last May, when the appellate court delivered its ruling in Merck’s favor, just eight insurers accounting for around $700 million (or 40%) of coverage had yet to settle.

However, the appellate court found in May that the “exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.”

“The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will,” it found.

The court’s stance has proved somewhat controversial among the insurance and legal communities.

The original decision, on which the appellate court ruled last May, had been criticized by Kennedys partners Joshua Mooney and Julia Selby as looking “backward to a century past”.

Insurance companies have tightened wordings to plug cyber systemic risk gaps

Haunted by the specter of systemic risk, insurers have moved to tighten policy wordings around cyber-attacks.

In 2020, Lloyd’s clamped down on silent cyber in all-risks policies.

NotPetya – the Merck and international impact

The White House blamed a Russian action against Ukraine after the NotPetya malware made its way into systems worldwide in 2017, causing billions of dollars’ worth of damage.

Merck was just one victim, with businesses having been affected by the 2017 cyber incident across 65 countries.

Merck’s case, it took just 90 seconds for 10,000 of its machines across its global network to be infected. This doubled to 20,000 within five minutes, and overall more than 40,000 machines were bought down, according to court documents.

What’s your view on the Merck NotPetya cyber insurance case and how insurers are navigating cyber exposures? Leave a comment below.

Related Stories

Please enable JavaScript to view the comments powered by Disqus.


This page requires JavaScript


contact us