Merck cyber coverage upheld in NotPetya decision, seen as victory for policyholders

A court victory in the closely watched insurance case is expected to stabilize a turbulent market and provide some assurance for organizations amid a rise in nation-state activity.

A New Jersey appellate court upheld a prior ruling in favor of Merck, a major pharmaceutical company embroiled in a closely watched case involving $1.4 billion in claims stemming from the 2017 NotPetya cyberattack.

The court agreed Monday that insurers could not deny coverage under war exclusion language contained in the policies, saying the circumstances didn’t apply in the Merck case.

The decision is considered a major victory for companies seeking claims for cyberattacks at a time when hackers linked to rogue nation-states have stepped up threat activity through supply chain attacks, ransomware and other malicious threats.

Merck was impacted when it downloaded infected accounting software from a Ukrainian firm that was hit with malware. The attack infected about 40,000 machines at Merck’s network, causing massive disruption to sales, manufacturing, research and development.

Merck’s property insurance program included “all risks” policies in a three-layer structure, according to court documents. The policies had $1.75 billion in total limits with a $150 million deductible.

The remaining legal dispute involved more than $699 million in claims, or about 40% of the company’s total coverage.

Legal and insurance experts said the ruling represents a victory for policyholders who are facing increased risk of attacks. Insurers have struggled to manage a surge in claims and demand for coverage in recent years, with some firms clamping down on state-linked cyber activity and other firms denying claims based on war exclusion language.

“This is good for policyholders with comparable language,” said attorney David Cummings, a partner at the insurance recovery group at Reed Smith, who filed an amicus brief on behalf of a group called United Policyholders. “If nothing else, it provides them with a little more certainty when making claims.”

If a forensic investigation finds a state-linked actor is connected to an attack, this new ruling will make it easier for companies to get their claims covered, according to Cummings.

“Both the original and appeal decisions should have a positive impact on the insurance industry in general to be on top of the complex and developing landscape of cyber — or for that matter, any new and emerging risk — by at least looking at the policy language and updating for the exclusions they deem necessary,” Fred Eslami, associate director at AM Best, said via email.

Michael Dion, VP, Senior Analyst at Moody’s Investors Service, said the ruling was expected to be upheld, but he would not be surprised if the insurers attempted additional appeals to a higher court.

“It is important to remember that the policy language that was in place at the time in 2017 of the NotPetya attack is very different than that used today, which is more stringent in defining what is covered and what is not covered, what is an act of war, etc.,” Dion said via email. “The industry has been working to standardize cyber insurance policy language over the last several years since the incident, with some success.”

A spokesperson for Merck was not immediately available for comment. A lawyer representing the insurance firms in the case declined to comment.