Court says insurers must pay Merck over cyberattack

An appeals court in the US has rejected arguments by insurance companies that they should not have to cover losses accrued by Merck & Co over a notorious cyberattack that hit the pharma company in six years ago.

The judgment upholds a lower court ruling last year, which dismissed the insurers’ position that they were not liable for the losses because the attack was effectively an act of war, coming it did in the wake of Russia’s military intervention in Ukraine which started in 2014 with the annexation of Crimea.

The appeals court agreed the NotPetya malware cyberattack – which affected Merck as well as thousands of other companies – cannot be excluded from coverage under the warlike-act exclusion clauses of Merck’s policies.

It’s a big deal, considering Merck has estimated that losses accrued as a result of the attack amount to a whopping $1.4bn.

“The plain language of the exclusion does not support the Insurers’ interpretation,” said the appeals court ruling.

“The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” it added. “The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will.”

Merck said in a statement that it is “pleased with the decision by the Appellate Division affirming the lower court’s ruling granting summary judgment for Merck on the war exclusion issue as we believe that this was not hostile or warlike action, and applying this exclusion would be inappropriate.”

The insurers – including Ace American – still have the option to try to elevate the dispute to the Supreme Court, although that may not be likely given the two prior judgments.