Merck Settles Coverage Dispute With Insurers Over War Exclusion in NotPetya Attack

January 5, 2024 by

Merck & Co. Inc. has reportedly reached a deal with insurers over a closely-watched coverage dispute related to a massive cyberattack in 2017.

The New Jersey Supreme Court in July 2023 agreed to hear the case after a state appeals court ruled months prior against eight insurers, finding that a hostile/warlike action exclusion in an all risks property insurance policy did not apply to a Russian-linked cyberattack known as “NotPetya” on the pharmaceutical firm.

Bloomberg Law reported three insurers filed with the court on Wednesday and that the settlement is confidential. Merck has not responded to a request for comment.

More than 30 insurers were involved in the case at the start, but many have since resolved their claims with Merck. Eight insurers that remained in the case included Ace American, Allianz, Liberty Mutual, QBE, XL and Lloyd’s syndicates. Merck’s property insurance program included the “all risks” property policies in a three-layer structure, with $1.75 billion in total limits above a $150 million deductible. The remaining eight insurers’ policies insured percentages of coverage in one, two or all three of the layers. In total, they disputed about $700 million in coverage or just under 40% of Merck’s total coverage for the policy period.

The insurers had tried to use the exclusions to avoid paying Merck’s claim, citing the fact the NotPetya malware was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine. The malware wound up affecting thousands of companies worldwide.

The state appellate court ruling upheld a January 2022 state trial court decision that the war exclusions in the drugmaker’s policies did not apply.

The state appeals panel concluded the insurers did not demonstrate that the NotPetya attack was a “hostile” or “warlike” action and thus the exclusion could not be used. While insurers conceded the word “warlike” in the exclusion might not be applicable, they asserted the word “hostile” should be read in the broadest possible sense.

The case, though specific to New Jersey, had been closely followed by the insurance industry, and it highlighted the risk of embedded cyber risk within non-cyber policies. Following the massive cyberattack, which also resulted in another high-profile coverage dispute between Mondelez International and insurer Zurich American Insurance Company, the industry looked to shore up policy language in order avoid any perception of ambiguity by adding cyber-specific exclusions to property and liability contracts. The Lloyd’s Market Association released four model war and cyber war exclusions.