Drugmaker Merck's long legal battle with its insurance companies over the damages caused to its business by the NotPetya wiper worm ended last week when the company settled with a bevy of insurance companies that had refused to pay $699 million of the $1.4 billion in claimed damages, citing hostile/warlike act exclusion clauses.
Merck has remained mum on the details of the settlement - and did not return a request for comment - but the reported settlement will likely have less impact than the lawsuit's long road through the courts, which included two rulings for the drugmaker, cyber-insurance industry experts say.
Already, cyber-insurance firms have clarified the act-of-war clauses in their policies, a task mandated by large insurance firms such as Lloyd's.
The sticking point is whether damaging cyberattacks by state-sponsored actors constitute an exclusion in a particular policy, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.
With geopolitical conflicts expanding around the globe, and cyber operations a common tactic in many nations' arsenals, more companies are looking to mitigate risks from damaging cyberattacks, no matter whether the attacker is a nation's military or an independent cybercriminal group.
The resolution of Merck lawsuit sounds a note of hope for businesses and large industry organizations - from the National Association of Manufacturers to the Restaurant Law Foundation - which argued in support of Merck's lawsuit.
Merck's lawsuit stemmed from the NotPetya attack that hit companies and organizations worldwide in June 2017, wiping hard drives, disrupting operations, and causing significant business losses.
For Merck, the attack was devastating, shutting down research, sales and manufacturing - in some cases, for weeks - with damages reaching a claimed $1.4 billion.
Some insurers refused to pay for the damages, claiming that the widespread attack fell under the act-of-war clauses common in insurance policies, and in particular, Merck's property-insurance policy, under which it made the claim.
Even after a widespread effort by the insurance industry to clarify those exclusions, companies should take care and ensure that they are getting the coverage that they need, says Alla Valente, a senior analyst with Forrester Research.
Two Losses, Avoiding a Third In the latest milestone in the saga, the insurance companies settled with Merck right before the drug company and its insurers were due to argue their cases before the New Jersey Supreme Court.
The appellate court later affirmed that decision, according to its May 2023 ruling.
While insurance companies likely avoided a third loss by settling, the insurance industry had already embarked on clarifying exclusions to broad outbreaks of cyberattacks.
In August 2022, insurance giant Lloyd's issued requirements for its underwriters for state-backed cyberattack exclusions to minimize catastrophic losses to the cyber-insurance industry.
Clarify Conflict Clauses, Shrink the Attack Surface Following the settlement, it's even more important that companies are clear as to what damages they want to be covered by their cyber insurance.
Companies should also realize that having to make an insurance claim is a poor substitute from blunting the attack in the first place, says Coalition's Ram.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Jan 2024 14:35:17 +0000