Connect with us

Hi, what are you looking for?


Cyber Insurance

Merck Settles NotPetya Insurance Claim, Leaving Cyberwar Definition Unresolved

In a landmark case that blurs the lines between cyber and kinetic warfare, Merck reached a settlement with insurers over a $1.4 billion claim stemming from the NotPetya malware attack.

Merck Cyberinsurance Settlement

A legal definition of cyberwar and its relationship with kinetic war has been avoided by a settlement between Merck and its insurers over damage caused by NotPetya.

Merck had lodged an insurance claim for $1.4 billion for damage caused by the NotPetya malware attack in 2017. Merck did not have cyberinsurance but made a claim under its ‘all-risks’ coverage.

NotPetya was attributed to Russia as part of an effort to attack Ukraine. For most people, this was an act of cyberwar against Ukraine. Its effect spread around the globe, causing billions of dollars of further damage in what, on the surface, appears to be collateral damage emanating from an act of cyberwar.

This basic stance was adopted by the insurers over Merck’s claim. Merck did not have cyber insurance, and the damage was excluded by the standard war exclusion clause. But a legal definition of cyberwar is a tricky problem, and is discussed by SecurityWeek in What is Cyberwar?

In January 2022, New Jersey Superior Court Judge Thomas J. Walsh found in favor of Merck. He said the war exclusion clause ‘does not apply’, and that “Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”

The insurers appealed — but in May 2023, the New Jersey appellate clause upheld the original decision, saying that the NotPetya attack “is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.” The court specifically declined to discuss the relationship between cyberattacks and warlike exclusions: “Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”

The insurers appealed again but have now settled with Merck. Merck can be considered to have won the argument although details of the settlement have not been disclosed.

Bloomberg Law comments, “Pharmaceutical giant Merck & Co. Inc. struck an 11th-hour settlement with insurers Wednesday, evading a New Jersey Supreme Court review of its massive cyberattack insurance dispute on the eve of an oral argument that could have set a national precedent impacting the booming cyber insurance market.”

Advertisement. Scroll to continue reading.

We have learned more about what fails the cyberwar legal litmus test, but are no closer to a legal definition of cyberwar.

Related: Zurich Rejects Mondelez’ $100 Million NotPetya Insurance Claim Citing ‘Act of War’

Related: Malware Attack Disrupts Merck’s Worldwide Operations

Related: Petya/NotPetya: What We Know in the First 24 Hours

Related: Lloyd’s of London Introduces New War Exclusion Insurance Clauses

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet