Insurer must pay $1.4 billion in major ransomware case

An American insurer must pay out $1.4 billion to Merck due to the NotPetya ransomware attack. The court ruling could have many consequences for insurers worldwide, because Ace Insurance claimed that NotPetya was an act of war.

Of the pronounciation a long-running lawsuit between Ace American Insurance and Merck, which operates in the rest of the world as Merck, Sharpe and Dohme or MSD, is settled. International pharmaceutical and chemical company Merck was hit by the NotPetya ransomware in June 2017, along with dozens of other companies and government agencies. NotPetya is attributed by security experts to the Russian military intelligence service GRU, which wanted to use the ransomware as an act of sabotage in the then conflict in Ukraine, in which Russia was not yet involved on paper. Merck was not a primary target, but was nevertheless hit by the ransomware via accounting program MEdoc. The company ultimately suffered more than hundreds of millions of dollars in damage from that attack after 10,000 machines were infected.

Merck contacted eight insurers where the company had a policy, including Ace American Insurance. The company had policies in place with various insurers that would pay out up to $1.75 billion after a deductible of $150 million. However, the insurers refused to pay out $700 million of that, arguing that NotPetya would be an act of war. Exceptions for this were included in the policy.

Merck then went to court. That became a long-running battle, which Merck seemed to win in January 2022. Then a New Jersey judge ruled that the various insurers had to compensate Merck for $1.4 billion in total damages. The insurers appealed, but have now been rejected by the court.

Not linked to military action

The appeal judge says that NotPetya “cannot be sufficiently linked to a military action, because it was a non-military cyber attack against an accounting software provider.” The insurers have therefore not sufficiently proven that the attack fell under the exception clause for war situations. The judge finds that this exception clause only applies if military action is involved. Although the United States generally believes NotPetya was a Russian military operation, the military does not view it as an official military act of war.

The ruling could have far-reaching consequences for the way in which ransomware is currently insured. Many insurers offer policies against damage from cyber attacks, especially ransomware. Like most insurance policies, acts of war are not covered, but with ransomware it has always been vague when an infection is an act of war or offensive by another country. Insurers are increasingly relying on exception clauses in the event of ransomware, which lawyers sometimes call a ‘catch-all category’. In the case, the judges now state in clear terms that insurers can no longer simply call every attack an act of war.