Connect with us

Hi, what are you looking for?


Cyber Insurance

Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack

Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.

Merck Cyberattack

The Superior Court of New Jersey Appellate Division has ruled in favor of Merck in its $1.4 billion claim against the insurance industry for denying payment for damages caused by the 2017 NotPetya cyberattack. Merck did not have separate cyber insurance, and instead relied on the ‘all risks’ element of its property insurance.

According to Merck, within ninety seconds of the initial NotPetya infection, roughly 10,000 machines in its global network were infected by the malware, and over 40,000 machines were ultimately infected across the company globally.

The insurers claimed that the property insurance was subject to a war exclusion clause, and the “exclusion is clear and unambiguous, and it plainly applies to the NotPetya attack.” 

Judges Currier, Mayer and Enright have now disagreed, and declared, “We have addressed the exclusion in terms of the presented circumstances before us. And we have found the Insurers have not satisfied their burden to show it could be fairly applied to the NotPetya cyberattack. That is the scope of our review. Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”

This is an interesting position. While declining to accept the nation-state NotPetya attack as an act of war, they have also declined to define what type of cyberattack could be defined as an act of war.

But as far as this case is concerned, that is academic. The court concluded, “terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.”

David Cummings, a partner in the litigation practice group of Reed Smith (who authored an amicus brief filed by United Policyholders in the case), commented, “The Appellate Division’s decision is an important win for policyholders who continue to seek (and pay substantial premiums for) certainty with respect to their insurance coverage in the face of these often uncertain cyberattacks.

Advertisement. Scroll to continue reading.

“In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations. On that score, the Court correctly determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers.”

Cyber is, however, considered to be a modern theater of war – and cyber changes faster than any other modern arena. Discussion will likely continue over the validity of applying historical definitions to the new world.

Nevertheless, continued Cummings, “The mere presence of hostile or warlike action is not enough where, as here, the underlying activity is commercial in nature, and the damage is not caused by a warlike attack directed at the policyholder. In sum, the Court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”

This may or may not be the end of the Merck case, but it is probably just the beginning of future arguments about what can or cannot be construed as a cyber act of war. A $1.4 billion payout is no small matter for the insurance industry and is bound to have future ramifications on the cyber – and property – insurance industry.

Related: Cyberinsurance Backstop: Can the Industry Survive Without One?

Related: Talking Cyberinsurance With Munich Re

Related: Lloyd’s of London Introduces New War Exclusion Insurance Clauses

Related: Court Awards Merck $1.4B Insurance Claim Over NotPetya Cyberattack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.

Cyber Insurance

All-in-one cybersecurity platform Guardz today emerged from stealth mode with $10 million in seed funding.

Cyber Insurance

SecurityWeek spoke to Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, for the cyber insurers’ view of cyberinsurance.

Cyber Insurance

Third-party administrator of insurance products Bay Bridge Administrators (BBA) is informing roughly 250,000 individuals that their personal information might have been compromised in a...

Cyber Insurance

CyberCube, a provider of cyber risk analytics for insurance companies, this week announced that it has raised $50 million in a new funding round...