Pharma giant Merck & Co has reportedly reached an agreement with insurers over coverage of the $1.4bn in financial losses that the company says it incurred as a result of the NotPetya cyberattack it suffered in 2017.

An undislosed settlement was reached on January 3, just ahead of a scheduled hearing on the case in the New Jersey Supreme Court, according to a Bloomberg Law report. Merck’s insurers – including Ace American – had lodged an appeal against a 2022 verdict by the court that they were liable for the losses.

The earlier judgment rejected the insurers’ position that the cyberattack was effectively an act of war, coming in the wake of Russia's military intervention in Ukraine which started in 2014, and so was not covered by the company's policies.

Merck argued that the exclusion cause specified armed conflict, rather than cyber warfare, even though the attack was later attributed to Russia’s military intelligence operations.

The decision to settle without testing the insurers’ position in court has interesting ramifications, given the escalation in conflicts around the world in the last couple of years.

Bloomberg Law notes that in amicus briefs filed ahead of the planned hearing, “national associations for big business, manufacturers, and corporate insurance litigators all had urged the court to uphold the ruling and plant a national flag on this issue benefiting insured businesses.”

Merck – known as MSD outside North America – was just one of thousands of companies hit by the malware attack, along with Reckitt Benckiser, Cadbury, FedEx, AP Moller-Maersk, Deutsche Post DHL Group and retailer Metro AG.