Give NotPetya-hit Merck that $1.4B, appeals court tells insurers
May 3, 2023 – Published on The Register
Merck’s insurers can’t use an “act of war” clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled.
A New Jersey appellate court this week upheld an earlier decision that a group of insurers could not use the war exclusion in their insurance policies — despite the US and UK governments, among others others, attributing NotPetya to Kremlin-backed fiends — because the attack against Merck wasn’t specifically linked to Russian military action.
The ruling means Merck may finally claim its $1.4 billion payout. And it’s likely going to make it more difficult for insurance companies to use war as an excuse to not pay losses related to cyberattacks, according to industry watchers.
GuidePoint Security’s Mark Lance, VP of digital forensics and incident response and threat intel, told The Register that the ruling is “a blow to the way that they [insurance companies] are conducting business” with an increasing emphasis put on these act-of-war clauses.
Lloyd’s of London last year said its insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not, beginning April 1, 2023.
Also in 2022, Mondelez International settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant’s $100-million-plus cleanup bill following the 2017 NotPetya outbreak. Zurich had denied the snack giant’s claims citing a similar war exclusion.
The Merck ruling “sets this precedent, where you have an attack that was associated with a certain region, but was not considered an act of war,” Lance told The Register.
Read More HERE.