Merck’s $1.4B NotPetya Claim Reshapes Cyber Insurance

Int’l desk: In a confidential agreement that quietly closed one of the insurance industry’s most closely watched cyber-related disputes, pharmaceutical giant Merck & Co. reached a settlement with a group of insurers over losses stemming from the 2017 NotPetya malware attack.

The resolution, announced in early 2024 just days before arguments were scheduled before the New Jersey Supreme Court, ended years of litigation over whether traditional property insurance policies would cover damages from a sophisticated cyber operation widely attributed to Russian state-linked actors.

Merck had sought approximately $1.4 billion in recovery for the widespread disruption caused by the NotPetya worm, which infected more than 40,000 computers across its global network. The attack crippled manufacturing, distribution and other operations at the New Jersey-based company, leading to significant production downtime, equipment replacement needs and lost revenue in the pharmaceutical sector.

Notably, Merck did not rely on a dedicated cyber insurance policy but instead filed under its “all-risks” property insurance coverage, a move that pushed the case into the spotlight for its potential precedent-setting implications.

Insurers had denied portions of the claim, with roughly $700 million remaining in dispute by the later stages, invoking longstanding “hostile or warlike action” exclusions in the policies. They argued that NotPetya, which originated as an attack on Ukrainian targets but rapidly spread worldwide, qualified as an act connected to geopolitical conflict and therefore fell outside coverage.

Lower courts in New Jersey disagreed. A trial court ruling in 2022, upheld by an appellate court in 2023, determined that the exclusion language did not encompass the cyberattack on Merck. Judges emphasised that the policies’ wording contemplated traditional kinetic warfare and military actions, not a malware deployment against a private company that became collateral damage in a broader campaign.

The settlement leaves unresolved broader questions about how “acts of war” exclusions apply in the digital age, even as it provided Merck with some recovery. Legal experts noted at the time that the case highlighted evolving interpretations of policy language drafted long before nation-state cyber operations became commonplace.

Similar disputes, such as Mondelez International’s smaller claim against Zurich over the same NotPetya incident, have also tested these boundaries, often resulting in private settlements rather than final court precedents.

NotPetya itself stands as one of the most destructive cyber events in history, with global economic damages estimated in the billions, around $10 billion according to some analyses.

Designed primarily as a wiper rather than traditional ransomware, it spread rapidly through supply chains and software vulnerabilities, affecting companies, hospitals and government entities far beyond its intended targets. For Merck, the operational fallout was particularly severe given the company’s reliance on interconnected IT systems for pharmaceutical production and regulatory compliance.

As of 2026, the Merck case continues to represent one of the highest-profile single cyber-related insurance disputes, even though dedicated cyber policies have proliferated and claim volumes have surged.

Industry reports show that while the average cyber insurance claim hovers in the low hundreds of thousands of dollars, severity for large enterprises can reach several million, driven mainly by ransomware, business email compromise and data breaches.

Outliers exist, with some individual claims exceeding $100 million, but public details remain scarce due to nondisclosure agreements. Recent data from insurers and cyber specialists indicate rising severity amid AI-enhanced threats, supply chain attacks and regulatory pressures, yet few publicly known cyber-related insurance disputes have matched the scale of Merck’s claimed losses under traditional coverage.

The episode carries significant implications for businesses, insurers and policymakers. It accelerated demand for explicit cyber insurance products with tailored wording around ransomware payments, business interruption and incident response.

At the same time, carriers have responded by tightening underwriting standards, requiring robust controls such as multi-factor authentication and network segmentation, and sometimes adding or clarifying war and cyber-terrorism exclusions.

Reinsurers, who absorb much of the tail risk, have grown more cautious about systemic “peak peril” scenarios where multiple large organizations suffer correlated losses.