Court Rules Insurers Must Pay Merck $1.4B for NotPetya Losses
An appellate court in New Jersey has ruled that insurance companies must pay Merck more than $1.4 billion to cover losses incurred when Merck’s systems became infected with NotPetya malware in 2017. The court rules that the war exclusions the insurance companies were invoking in a bid to deny coverage did not apply in the case of the cyberattack.
I hate to always be a nattering nabob of negativism about the lack of value delivered by cyberinsurance, but it is important to note that this ruling is based on the particular very large “All Risks” type of policy Merck had, not “vanilla” cyberinsurance. The court stated that type of policy is a “…special type of insurance extending to risks not usually contemplated, and recovery under the policy will generally be allowed…” Also, note that it took 5 years of legal actions to get to this judgement, which may yet be overturned. And this policy had a $150M deductible, in any case. Remember, NotPetya succeeded because the Windows flaw (CVE-2017-0144) that enabled the previous WannaCry attacks had not been patched – it would have cost Merck much less than the deductible, let alone the full incident, to maintain critical patch essential hygiene levels.
Excellent for Merck, and if you had a similar claim rejected on those grounds you may want to chat with your lawyer. More significantly, expect your cyber insurer to be updating their exclusions. When you get that updated coverage or renewal notice, make sure that you read it carefully, again engage your legal team: you want to be certain what is and is not covered and under which constraints.
This, in my opinion, is precedent-setting and will force insurers to rethink coverage limitations and cost to provide cyber insurance. I tend to agree with the appellate court finding in upholding the lower court’s decision: it was neither a hostile or warlike action directed at Merck. I would be remiss not to point out that the attack was only successful because Merck failed to patch a vulnerability that was several years old. Cyber insurance shouldn’t be a substitute for an effective patch management program.
The key lesson here is to ensure that you carefully review the terms and conditions, together with any exclusions, in your cybersecurity policies. Make sure that after the review, you are comfortable with what your policy covers and does not cover while remembering cyber insurance is more about covering the financial risk associated with a cyber-attack then managing the cybersecurity risk.