Merck & Co.‘s victory in a legal dispute with insurers over coverage for $1.4 billion in losses from malware known as NotPetya is expected to force insurance policies to more clearly confront responsibility for the fallout from nation-state cyberattacks.
The multinational pharmaceutical company sued its insurers who had denied coverage for NotPetya’s impacts to its computer systems, citing a policy exclusion for acts of war.
The 2017 malware attack was attributed to Russia’s military intelligence agency, deployed as part of a conflict with Ukraine.
New Jersey Superior Court Judge Thomas J. Walsh ruled Jan. 13 that Merck’s insurers can’t claim the war exclusion because its language is meant to apply to armed conflict.
The ruling noted that insurers didn’t change the war language to put companies like Merck ‘on notice’ that cyberattacks wouldn’t be covered, despite a trend of attacks by countries like Russia hitting private sector companies.