Merck Wins $1.4bn NotPetya Payout from Insurer
Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.
The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.
However, the malware soon spread globally, causing potentially billions of dollars of damage.
Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”
However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.
Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.
However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.
Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”
Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.
“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.
“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”
Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.
More Stories
NCSC Expands Election Cybersecurity to Safeguard Candidates and Officials
The National Cyber Security Centre launches an opt-in Personal Internet Protection service to safeguard individuals from cyber threats during the...
How To Spot A Fake Facebook Account
How do you manage your Facebook friends? Do you keep your list really tight and only include ‘active’ pals? Or...
Google Expands Synthetic Content Watermarking Tool to AI-Generated Text
Google DeepMind’s SynthID can now be used to watermark AI-generated images, audio, text and video Read More
Santander Customer Data Compromised Following Third-Party Breach
Santander has warned that customer and employee data has been breached following unauthorized access to a database held by a...
Current Market Forces Disincentivizing Cybersecurity, Says NCSC CTO
NCSC CTO argues current market rewards prioritize cost over security, hindering the development of secure technology Read More
Expanding Horizons: LevelBlue Enhances MSSP Offerings with Government Cloud Support
In today's digital landscape, cybersecurity is paramount, especially for government agencies entrusted with safeguarding sensitive data and critical infrastructure. Recognizing...