Merck & Co. has reportedly reached a settlement with several insurers regarding a 2023 court decision that rejected insurers’ attempts to invoke “hostile warlike action” exclusions in response to claims related to the 2017 NotPetya cyberattack. The terms of the settlement have not been disclosed, but Merck had initially sought $1.4 billion in damages, including lost revenue, due to the CryptoLocker attack impacting around 40,000 computers. The insurers had denied coverage based on a war exclusion, arguing that Russia launched NotPetya as part of its conflict with Ukraine. Last May, a New Jersey Appellate Division upheld a lower court ruling in favor of Merck’s reimbursement claim under its “all risks” property insurance policies.
Several insurers, including Aspen Insurance UK Limited, National Union Fire Insurance Company of Pittsburgh, and HDI Global Insurance Company, had appealed the ruling and were set to present oral arguments to the New Jersey Supreme Court. However, the insurers opted to dismiss their appeals on Wednesday and sought to end the litigation. The settlement is seen as significant in upholding the appellate court’s decision that the “hostile/warlike exclusion” does not apply to Merck’s losses. The precedent established by the appellate court suggests that insurers will face challenges convincing courts that similar exclusions should apply to cyberattacks.
The settlement’s details remain undisclosed, and both Merck and the insurers involved have yet to comment on the resolution. However, legal experts suggest that the insurers may have decided against pursuing further appeals due to the strong precedent set by the appellate court, making success on appeal unlikely. The case underscores the evolving landscape of insurance coverage in the face of cyber threats and the need for clarity on policy wordings in navigating cyber-related claims within the insurance industry.