Settlement reached on Merck claim on NotPetya attack

SecurityWeek reports that Merck and its insurers have reached a settlement for a $1.4 billion insurance claim filed by the U.S. multinational pharmaceutical firm under its "all-risks" coverage for the destructive NotPetya cyberattack in 2017. Such a settlement, the terms of which were not disclosed, comes after Merck received the upper hand in court decisions handed over in 2022 and 2023. While Merck, which did not have cyber insurance during the NotPetya attack, was noted by insurers to not have been covered as the damage brought upon by the incident was excluded under the war exclusion clause, such clause was found by New Jersey Superior Court Judge Thomas Walsh to not apply for the specific intrusion. Walsh's decision was later upheld by the New Jersey appellate when the insurers appealed. "Pharmaceutical giant Merck & Co. Inc. struck an 11th-hour settlement with insurers Wednesday, evading a New Jersey Supreme Court review of its massive cyberattack insurance dispute on the eve of an oral argument that could have set a national precedent impacting the booming cyber insurance market," said Bloomberg Law.