Merck & Co. was victimized by a cyber attack in 2017 that was so extreme, that it is estimated the damages exceeded $870 million. Naturally, the company turned to its insurers. The problem? Their insurers claimed that coverage did not apply to an act of war.
War is not something the average American company finds itself concerned with. The issue comes down to what events constitute an act of war. There’s no dollar amount that must be exceeded, it really comes down to who attacked what, and why. In this instance, the issue comes down to the perpetrator of the cyber attack.
When the attack was first discovered, Merck employees found their computers locked down with a message demanding $300 in bitcoin for each computer to be unlocked and its digital contents returned. Those demands made it seem as though the attack was a simple robbery. However, it turns out all of that was just a ruse.
The true goal of the attack was not the ransom, but rather collateral damage of a larger attack. The true perpetrators of the attack were not ordinary criminals, but the NotPetya—Russia’s military intelligence agency. The involvement of Russia in the crime is what caused Merck & Co.’s insurers to claim the act of war exemption on their policies.
The Insurance Journal dug deeper and explained how the American company got caught up in a Russian cyber attack. “NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations—even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.”
The attack had far-reaching ramifications for the insurance industry. Most insurers have since taken the time to update the language surrounding their cyber policies to make more clear exactly what is and what is not covered. The moral of the story for the average business owner? Get cyber insurance, but read the fine print.
To learn more about your current policy, or to inquire about a new one, talk with TGS Insurance at www.tgsinsurance.com.