A US court has ruled that a company that fell victim to the NotPetya ransomware is entitled to compensation. The ruling could set an interesting precedent for companies falling victim to cybercriminals.

The American pharmaceutical company Merck & Co fell victim to the ransomware NotPetya in 2021. The company turned to its insurance broker to cover the damage from the attack. However, he invoked a “war clause” in the contract because the ransomware was specifically linked to Russia.

The case went to the New Jersey court and Merck & Co won twice. The court ruled that the attack on the company was not part of a military action, but rather “regrettable collateral damage” as the ransomware ended up in the hands of criminals.

Consequently, the incident must be viewed as a typical cyber attack and Merck & Co has the right to sue the insurer for compensation for the damage. In total, the company can demand $1.4 billion from its insurers.

Systemic Risks

What is the significance of this incident now? This could set a precedent for disputes between insurers and customers. Ransomware attacks are on the rise worldwide and insurance companies are also affected. The CEO of Zurich Insurance, one of Europe’s largest insurance companies, recently stated that cyberattacks have become “uninsurable” and must be viewed as a systemic risk.

This term covers certain exceptional situations in which the insurer does not intervene in the event of a claim. Many policies consider “war risk damage” to be such a systemic risk. As part of the attack on Merck & Co, the insurer therefore wanted to invoke this clause. After all, cyber attacks are now also a form of warfare.

The court has thus swept this line of argument from the table, and there is a lot to be said for it. Just because a ransomware virus was once used in a political context doesn’t mean that every incident must serve a higher purpose. Criminals looking for a quick buck use the same weapons, and in criminal circles, ransomware is traded like sandwiches in a sandwich shop.

This makes the line between economic and political attacks very thin. The court’s ruling therefore stipulates that it is for the insurer, and not the victim, to prove that a form of cyber warfare is involved.

cloth to bleed

Don’t think of this as a “win” for Merck & Co; the compensation covers only part of the total cost of the attack. Cyber ​​insurance is nothing more than a band-aid on the wound when the damage has already been done. Investing in prevention is still the best medicine against cyber attacks.