2 min

The U.S.-based Ace Insurance has been forced to pay $1.4 billion to pharmaceutical company Merck. The latter was hit by a ransomware attack by the Russian NotPetya. The insurer did not want to pay out on the grounds that the attack had supposedly been an act of war.

The US judge argued that the all-risk insurance that Merck had taken out with Ace also covered a potentially politically motivated hack. The case between the two parties had been going on for five years.

‘Act of war’

Merck was hit by the NotPetya ransomware in June 2017. According to experts, Russia allegedly deployed this software to sabotage Ukraine, which the Russians had not officially invaded at the time. Merck was hit via the accounting program MEdoc and was forced to deal with 10,000 infected devices.

It cost the company $850 million and disrupted the development of an HPV vaccine. In addition, the company reportedly lost $400 million in sales. The ransomware variant of the Petya malware family exploited an unpatched vulnerability in Microsoft software. Ace Insurance did not want to cover these damages, arguing that the attack was an “act of war” from Russia. A clause in U.S. law exempts insurers from covering damages from acts of war. However, the judge disagreed with this line of defence. Because it was an attack on accounting software, it could not be considered a military target. In other words, not an “act of war.”

A New Jersey judge had already ruled in Merck’s favour in December 2021, but now the result of Ace’s appeal is also known.

The court decision could have significant implications for insurance companies. Cyber attacks habitually have Russian origins, even though the exact location of each hacker involved can be far from certain. According to British authorities back in 2018, NotPetya was “almost certainly” directed by the Russian military. It could therefore be argued that a nation-state was responsible for the attack on Merck, but the insurance company cannot reject the claim for that reason. It will reassure many businesses in America that with all-risk insurance, they are also covered in the event of cybercrime – even though no organization will want to be hit by a ransomware attack in the first place.

Also read: Defend your data from a ransomware attack