An American insurer has to pay $ 1.4 billion to Merck because of the NotPetya ransomware attack. The court ruling could have major implications for insurers worldwide, as Ace Insurance argued that NotPetya was an act of war.
Of the pronounciation settles a long-running lawsuit between Ace American Insurance and Merck, which operates in the rest of the world as Merck, Sharpe and Dohme, or MSD. International pharmaceutical and chemical company Merck was hit by the NotPetya ransomware in June 2017, along with dozens of other companies and government agencies. NotPetya is attributed by security experts to the Russian military intelligence service GROe, which wanted to use the ransomware as an act of sabotage in the then conflict in Ukraine, in which Russia was not yet involved on paper. Merck was not a primary target, but was nevertheless hit by the ransomware via accounting program MEdoc. The company ultimately suffered more than hundreds of millions of dollars in damage from that attack after 10,000 machines were infected.
Merck turned to eight insurers where the company had a policy, including Ace American Insurance. The company had policies with the various insurers that would pay out up to $ 1.75 billion after a deductible of $ 150 million. However, the insurers refused to pay out $700 million, citing NotPetya as an act of war. Exceptions were included in the policy for this.
Merck then went to court. That became a long-running battle, which Merck seemed to win in January 2022. Then a judge from New Jersey ruled that the various insurers had to pay $ 1.4 billion in total damages to Merck. The insurers appealed, but have now backed down from the court.
Not linked to military action
The appellate court says NotPetya “cannot be sufficiently linked to military action because it was a non-military cyberattack against an accounting software provider.” With that, the insurers have not proven enough that the attack fell under the exception clause for war situations. The court finds that the exception clause only applies if military action is involved. While the United States generally assumes NotPetya was a Russian military operation, the military does not view it as an official military act of war.
The ruling could have far-reaching consequences for how ransomware is now insured. Many insurers offer policies against the damage of cyber attacks, especially ransomware. As with most insurance, acts of war are not covered, but with ransomware it has always been vague when an infection is an act of war or offensive by another country. In the case of ransomware, insurers are increasingly relying on the exception clauses, which lawyers sometimes refer to as a ‘catch-all category’. In the case, the judges now state in clear terms that insurers can no longer simply call every attack an act of war.