Merck claims victory in NotPetya ransomware dispute

Merck & Co has emerged victorious from a dispute with insurers over a $1.4bn payout to cover losses it suffered in the wake of the notorious NotPetya ransomware attack in 2017.

The big pharma group – known as MSD outside North America – was just one of thousands of companies hit by the malware attack, along with Reckitt Benckiser, Cadbury, FedEx, AP Moller-Maersk, Deutsche Post DHL Group and retailer Metro AG.

Merck's insurers, including Ace American, argued in the case that they were not liable for the losses because the attack was effectively an act of war, coming in the wake of Russia's military intervention in Ukraine which started in 2014, and that was not covered by the company's cover.

Merck begged to differ, and its stance has been backed by a New Jersey superior court concluding that exclusion clauses in its insurance specified armed conflict, rather than cyber warfare.

Since then, many insurers have shored up their policies to make sure cyber attacks are specified as exclusions in the small print.

The award covers the losses Merck said t suffered as a result of the attack, including production outages that hit sales of key products like HPV vaccine Gardasil, the costs of hiring IT experts to get systems back online and shore up security, and the purchase of new equipment.

The court ruled that despite being aware that cyber attacks have become more common, insures "did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks."

It also concluded that Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare and not to cyber attacks such as NotPetya, according to a Lexology report.