Merck battles with insurers over $1.3bn cyber-attack payout

A cyber-attack that hit Merck & Co two years ago is still dogging the company, as it tries to come to a resolution with insurers about a $1.3bn payout claim.

The notorious NotPetya ransomware attack on June 27, 2017 was carried out by Russian military hackers, according to the US government, which has said it was directed at Ukraine but spread quickly to affect many organisations.

Other companies affected by the attack included UK consumer healthcare company Reckitt Benckiser, Cadbury chocolate manufacturer (part of Mondelez, formally Kraft Foods), freight logistics company FedEx, Danish shipping company AP Moller-Maersk, German mail and logistics firm Deutsche Post DHL Group and retailer Metro AG.

On the day of the attack, tens of thousands of computers across the pharma company had their data encrypted and displayed a ransomware demand for $300 in bitcoin apiece.

That was a diversion, according to the US, which insists NotPetya was despatched by Russia, not the usual cyber criminals seeking a fast, anonymous payoff, and was designed to disrupt operations.

Merck is pursuing dozens of insurance companies who covered its properties in a New Jersey court over the incident, in a lawsuit some observers suggest could end up being a test for future cases centred on the damage caused by cyber criminals.

The insurers position is that they aren’t liable to pay out because the attack was effectively an act of war, coming in the wake of Russia’s military intervention in Ukraine which started in 2014, according to NATO.

Merck – which says it had $1.75bn in insurance coverage – begs to differ, and the ongoing litigation is focusing on how war can be defined in the digital age.

Four companies out of around 30 that issued policies to the big pharma company have settled, but the rest – including big players Allianz SE and American International Group – are still holding out, according to Bloomberg.

Merck – known as MSD outside North America – said in the weeks after the attack that it had affected its ability to supply its human papillomavirus (HPV) vaccine Gardasil, used to prevent cervical and related cancers, that had cost it at least $135m in lost revenue and another $175m in remediation costs as it tried to bring its facilities back online.

By the end of the year it said the cost of fixing its systems had risen to $870m. In its lawsuit, Merck is claiming breach of contract and seeking to recoup $1.3bn in losses, but legal experts suggest it could be months or even years before the case is resolved.

Just a few weeks before the cyber-attack, a senior executive at Merck revealed the vulnerability of the sector at a US government committee meeting, pointing to more than a million health records exposed by breaches in recent years.