Merck Wins $1.4bn NotPetya Payout from Insurer
Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.
The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.
However, the malware soon spread globally, causing potentially billions of dollars of damage.
Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”
However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.
Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.
However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.
Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”
Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.
“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.
“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”
Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.
More Stories
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google...
Friday Squid Blogging: Sunscreen from Squid Pigments
They’re better for the environment. Blog moderation policy. Read More
Compromising the Secure Boot Process
This isn’t good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than...
Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
Synnovis has rebuilt “substantial parts” of its systems following the Qilin ransomware attack on June 3, enabling the restoration of...
Hacktivists Claim Leak of CrowdStrike Threat Intelligence
CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat...
CrowdStrike Falcon Outage Exploited for Social Engineering
Cyber threat actors are exploiting the CrowdStrike Falcon outage to conduct social engineering attacks. Here's what the CIS CTI team...