Jan 28, 2024 | Nurettin Erginoz, CTO, Radiflow
The intersection of cybersecurity incidents and traditional legal frameworks has become a focal point in recent years, with the 2017 NotPetya cyberattack serving as a compelling case. Let’s delve into the nuances of Merck & Co., Inc.’s $1.4 billion insurance claim resulting from the NotPetya incident, exploring the complex legal landscape surrounding cyber threats.
Merck, a prominent American multinational pharmaceutical company headquartered in New Jersey, USA, encountered severe disruptions in 2017 as NotPetya malware infiltrated its systems. The attack, initially camouflaged as ransomware, emerged as a sophisticated form of wiper malware designed to inflict sabotage rather than pursue financial gains. Specifically, the NotPetya attack damaged more that 40,000 Merck computers after infected accounting software was downloaded. The attack led to major disruptions of Merck’s operations, including research and development, sales, and manufacturing. Notably, this incident underscored the evolving nature of cyber threats with experts suggesting a potential state-sponsored diversionary strategy.
In response to the substantial operational losses incurred, Merck sought restitution through a $1.4 billion insurance claim. Intriguingly, Merck lacked specific cyberattack insurance, relying solely on coverage against ‘general risks’. $700 million in claims were subject to dispute, raising a pertinent issue regarding the adequacy of traditional insurance frameworks to address business loss from cyber incidents.
The crux of the legal dispute revolved around the insurer’s assertion that the NotPetya attack constituted an act of war, explicitly excluded from coverage. However, the judicial proceedings demonstrated a departure from a rigid interpretation of insurance policies. In a pivotal decision in January 2022, Judge Thomas J. Walsh of the New Jersey Superior Court ruled in favor of Merck, rejecting the application of the act-of-war clause.
Crucially, the New Jersey Appellate Division upheld the initial ruling, affirming Merck’s claim against the insurers. This legal outcome carries broader implications for the evolving landscape of cybersecurity and its intersection with insurance law.
Judge Walsh’s refusal to categorize the NotPetya attack as an act of war signifies a nuanced understanding of contemporary cyber threats. The decision recognizes the intricate nature of such incidents, challenging the conventional application of insurance clauses designed for conventional acts of war.
Notably, the judgment refrained from explicitly attributing the cyberattack to a nation-state actor. This legal opinion underscores the inherent difficulty of definitively assigning responsibility for cyber incidents, particularly when they are designed to obfuscate their origin and motive.
Merck’s successful resolution of the insurance dispute sets a precedent for organizations grappling with the aftermath of cyberattacks. As businesses seek to protect an expanding digital environment, there arises a compelling need to reassess insurance coverage, ensuring that policies adapt to the dynamic challenges posed by sophisticated cyber adversaries and an ever-evolving threat landscape.
Cyber Meets Legal
The Merck NotPetya insurance dispute serves as a landmark regarding legal ramifications of cyber incidents in contemporary business environments. The court’s approach to the act of war clause, refraining from explicit attribution, sheds light on the complexities of addressing cyber threats within traditional legal frameworks. As organizations strive to fortify their cyber resilience, the Merck case underscores the imperative of comprehensive and adaptable insurance coverage tailored to the dynamics of modern cyber warfare.
