Merck wins Not Petya claim – but the future of cybersecurity insurance is complicated


Pharmaceutical company Merck & Co won its case for coverage of losses incurred during the Not Petya cyberattack, securing a payment of 1.4 billion US-Dollars from its insurance company. Previously, the company withheld the money, citing exclusion policies.

In 2017, NetPetya crippled IT-systems and companies around the world and affected global industry giants such as logistics company Moeller Maersk. The infection wave started in Ukraine and is widely believed to be of Russian origin. Merck was also impacted, citing more than 40,000 infected computers in its network. 

The incident, the insurer argued, was an act of war – which is usually excluded from insurance payments. This, as well as similar cases, including food-company Mondelez, have been closely watched by Cybersecurity experts. Had this decision held up against courts, it would have significantly reduced the usefulness of cybersecurity insurance. 

The court argued that the insurance claim could not be cancelled that easily. The phrasing of the insurance contract is intended to exclude physical acts of war, not cyberattacks. As the judge wrote: “[…] Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks. Certainly, they had the ability to do so.” 

Companies cannot rely on cybersecurity insurance alone – if they can even get one

Cybersecurity insurance policies can cover losses incurred during cyberattacks. However, the situation has changed quite dramatically since 2017. Back then, insurance companies gave out policies without many preconditions as well as a broad coverage of losses and restorative actions after an incident. Prices used to be quite low in the first years of such policies, which resulted in many companies acquiring insurance. 

In today's threat landscape, however, it is increasingly hard for companies to get their hands on a policy to start with. The rise of ransomware incidents and the ever-mounting costs of cyberattacks has led insurance companies to pick their customers more carefully. Without a good security posture, at prospective customer is unlikely to get any coverage under a cybersecurity policy. And even then, today’s policies will usually have a capped percentage of potential loss and damage that will be covered. 

Companies that can purchase said insurance will typically be better suited to deal with the situation, anyway. The situation re-affirms what cybersecurity experts have been saying for quite some time now: There is no easy fix for better cybersecurity. Taking out insurance alone does not help, just as a purely technical approach to defence is not sufficient. Management needs to get involved in the issue by establishing processes, training staff, and enabling their own IT-department to be able to tackle the emerging challenges. That means investments -in terms of both people and money. 

from Hauke Gierow
Head of Corporate Communications