A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?
In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.
NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.
The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.
A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.
Merck v. Ace American
Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.
The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.
Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. W ..
Support the originator by clicking the read the rest link below.
