Merck Wins $1.4bn NotPetya Payout from Insurer
Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.
The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.
However, the malware soon spread globally, causing potentially billions of dollars of damage.
Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”
However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.
Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.
However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.
Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”
Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.
“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.
“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”
Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.
More Stories
73% of UK Education Sector Hit by Cyber-Attacks in Past Five Years
New ESET research reveals that 73% of UK educational institutions experienced at least one cyber-attack or breach in the past...
Ransomware Attacks Surge to Record High in December 2024
NCC Group observed 574 global ransomware attacks in December, the highest monthly volume it has recorded Read More
AI Will Write Complex Laws
Artificial intelligence (AI) is writing law today. This has required no changes in legislative procedure or the rules of legislative...
Major Cybersecurity Vendors’ Credentials Found on Dark Web
Cyble has found thousands of security vendors' credentials on the dark web, likely pulled from infostealer logs Read More
Account Compromise and Phishing Top Healthcare Security Incidents
Netwrix claims 84% of healthcare organizations detected a cyber-attack in the past year Read More
Cloudflare Mitigates Record-Breaking 5.6Tbps DDoS Attack
Cloudflare warns of a surge in hyper-volumetric DDoS after revealing it stopped a massive 5.6Tbps attack Read More