What enterprises should learn from Merck’s $1.4 billion insurance lawsuit
January 25, 2022 – Published on SC Media
Earlier this month, pharma-giant Merck won a $1.4 billion lawsuit over insurance companies’ duty to pay for the damages stemming from the 2017 NotPetya cyberattack.
NotPetya caused massive damage worldwide through wiper malware designed to look like ransomware. The consensus among Western nations is that NotPetya was a Russian attack on Ukraine that globally ran amuck, causing companies like Merck to suffer massive losses. Merck’s insurance, like the vast majority of insurance, had a clause excluding acts of war. But a New Jersey judge ruled that the clause excluding war was intended for armed conflict, not cyber conflict. The vagaries of the policy meant it took five years and litigation to recover a substantial amount of losses.
The Merck case, paired with spiking ransomware payouts and generally increased cyber risk, has pushed insurers to make policies less nebulous while raising premiums and restricting payouts. That could force enterprises to make some unique decisions, said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security:
“A potential byproduct from more specificity in insurance policies and a likely increase in cyber insurance premiums may be a reconsideration of whether cyber insurance has a positive impact to enterprise risk reduction or whether the funds spent on cyber insurance would be better invested elsewhere to support cybersecurity,” said Schmitt. “[But] it may be the motivation that many enterprises need to put more funding and emphasis on proactive cyber security controls and to bolster their reactive incident response capabilities in the event of an intrusion event.”
Read More HERE.