Merck & Co has reached a confidential settlement with insurers in a coverage dispute over a cyberattack known as “NotPetya” in 2017 [1]. This case has drawn significant attention from the insurance industry and highlights the need for clearer policy language regarding cyber risk [1].

Description

The insurers argued that the $1.4 billion claim, resulting from the NotPetya cyberattack that infected over 40,000 computers in Merck’s global network, was excluded by policy contract language due to a hostile/warlike action exclusion clause [2]. Initially, more than 30 insurers were involved in the case [1], but many have since resolved their claims with Merck [1]. However, eight insurers disputed about $700 million in coverage [1], representing just under 40% of Merck’s total coverage [1]. The case was set to be reviewed by the New Jersey Supreme Court, but a settlement was reached before any potential ruling that could set a precedent. The terms of the settlement were not disclosed.

Conclusion

This settlement has resolved a significant dispute between Merck and its insurers, avoiding a potential precedent-setting ruling. However, it also highlights the need for clearer policy language regarding cyber risk [1]. The case has prompted the Lloyd’s Market Association to release model war and cyber war exclusions, indicating a growing recognition of the importance of addressing cyber risk in insurance policies.

References

[1] https://www.claimsjournal.com/news/national/2024/01/05/321339.htm
[2] https://www.businessinsurance.com/article/20240105/NEWS06/912361959