Global biopharmaceutical company Merck has won a $1.4B legal dispute against its insurer for the NotPetya attacks. 

Merck sued its insurers, Ace American, who denied coverage for the NotPetya’s impacts to its networks, citing a policy exclusion for “acts of war,” which came after Russia’s military intervention in Ukraine, which started in 2014. Merck, who says it had $1.75 billion in insurance coverage, argued it was essential to focus on how war can be defined in the digital age. 

Merck was one of the thousands of companies hit by the malware, along with Danish shipping company Maersk, freight logistics company FedEx, retailer Metro AG, Cadbury chocolate manufacturer and U.K. healthcare company Reckitt Benckiser. Maersk, for instance, ended up spending over $300 million on repair and recovery after NotPetya destroyed 49,000 computers and over 1,000 applications. Organizations affected by NotPetya spent hundreds of millions of dollars to restore its systems and data that the malware encrypted. In a February 2018 statement, the White House called the NotPetya outbreak the “most destructive and costliest [cyberattack] in history” and promised international consequences for it.

The legal dispute covered the losses Merck claimed to have suffered due to the attack, including $135 million in lost revenue, $175 in remediation costs to bring systems back online, and $870 million to remediate disruption and encrypted files and improve security and acquire new equipment. 

The ruling is a critical win not only for Merck, but for policyholders around the world. John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, explains, “The growth of ransomware is pushing the financial boundaries of insurance companies, so they’ve been looking for escape hatches. “Act of war” clauses are common in insurance contracts, but only in cybersecurity is there any real risk of that. Organizations will have to bake in this gap into their risk mitigation plans, but the answer to cybersecurity has never been ‘more insurance’ anyway.”

In just four years since 2017, cyber insurance has progressed dramatically, says Jack Kudale, founder and CEO of Cowbell Cyber, a California-based provider of AI-powered cyber insurance for SMBs. “Critical elements needed to modernize the approach and achieve full alignment between policyholders and their insurers include standardization of coverages, clarification of terms, advanced and continuous assessment of cyber risk, and transparency in the underwriting process.”