In 2017, drug giant Merck was hit with a cyberattack from Russia in an effort to destabilize Ukraine. The NotPetya attack launched a virus that infected Merck computers through a server in Ukraine and spread quickly, affecting 30,000 computers at the drugmaker.
Merck suffered hundreds of millions in damages. In its 2018 annual report, the company said the attack “led to a disruption of its worldwide operations, including manufacturing, research and sales operations.” The company said it lost potential sales of $410 million in 2017 and 2018, and it had to pay other hack-related expenses of $285 million on top of that.
Merck took the logical next step and filed a claim with its insurance carriers. Insurers rejected the claim, saying the damages were excluded from policies as they arose from an “act of war,” claiming the attack on Merck was collateral damage in a cyberattack originated from the Russian government as part of its hostility toward Ukraine.
Merck sued its carriers for $1.4 billion in damages. Earlier this week, Merck scored a legal victory when New Jersey Superior Court Judge Thomas J. Walsh concluded that the act of war exclusion in the policies does not apply because it’s intended for actual armed conflict. Judge Walsh observed that carriers are aware that cyberattacks have “become more common,” but the insurers didn’t change their contract language to inform Merck that cyberattacks would be excluded.
Merck still has a long way to go to win coverage. The ruling applies only to the issue of the act of war exclusion.
If you have a business insurance coverage dispute that you would like to discuss, please contact Kristi Browne at firstname.lastname@example.org.