Merck cyberattack’s $1.3 billion question: Was it an act of war?
Merck cyberattack’s $1.3 billion question: Was it an act of war?
By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus in North Wales, there was a handwritten sign on the door: The computers are down.
It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.
The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers — eventually dubbed NotPetya — look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency — the same one that had hacked the Democratic National Committee the previous year.
NotPetya’s impact on Merck that day — June 27, 2017 — and for weeks afterward was devastating. Dellapena, a temporary employee, couldn’t dig into her fact-checking work. Interns and temps bided their time at their desks before some of them were sent home a week later. Some employees watched videos on their phones.
In all, the attack crippled more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of work. Near Dellapena’s suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. “For two weeks, there was nothing being done,” Dellapena recalls. “Merck is huge. It seemed crazy that something like this could happen.”
As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations — even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.
NotPetya spread. It hopped from computer to computer, from country to country. It hit FedEx, the shipping giant Maersk, the global confectioner Mondelēz International, the advertising firm WPP, and hundreds of other companies. All in all, the White House said in a statement afterward, it was the “most destructive and costly cyberattack in history.”
By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damage. Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses — the entire U.S. emergency supply — from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million. (The Centers for Disease Control and Prevention say the stockpile’s ability to deliver medicine wasn’t affected.)
Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered — after a $150 million deductible — to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.
Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.
In a world where a hacker can cause more damage than a gunship, the dispute playing out in a New Jersey courtroom will have far-reaching consequences for victims of cyberattacks and the insurance companies that will or will not protect them. Until recently, the big worry associated with cyberattacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.
As the nascent cyber insurance market has grown, so has skepticism about pricing digital risk at all. Few people understand risk as well as Warren Buffett, who’s built the conglomerate Berkshire Hathaway Inc. — and one of the world’s biggest personal fortunes — on the back of insurance companies such as Geico and National Indemnity Co. “Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber,” he told investors in 2018. People who say they have a firm grasp on the risk are “kidding themselves.”
Those who could be on the receiving end of cyberattacks don’t underestimate the peril. Asked in September what worries him the most, BP PLC chief executive officer Bob Dudley said that aside from the transition away from fossil fuels, the threat of a catastrophic cyberattack “keeps me awake at night.”
The depths of these concerns show why the fight between Merck and its insurers is not only about what happened on a summer’s day in 2017. It’s about what companies and their insurers fear lurks over the horizon.
Union County’s imposing 17-story neoclassical courthouse in Elizabeth, N.J., is a 15-minute drive from Merck’s global headquarters in Kenilworth. It’s also relatively conveniently located for the phalanxes of East Coast lawyers, from firms such as Covington & Burling and Steptoe & Johnson, who come here to do battle over the Merck case.
Their numbers are growing. One Monday in November, a dozen dark-suited lawyers filed into Judge Robert Mega’s 14th-floor courtroom. They were there to discuss pro hac vice (“for this time only”) applications to allow five additional colleagues to practice temporarily in New Jersey.
Merck has already collected on some property insurance policies that specify coverage for cyberdamage while also settling with two defendants in the lawsuit for undisclosed amounts. One that settled, syndicate No. 382 at the insurance marketplace Lloyd’s of London Ltd., was in a group that covered losses only if they ranged from $1.15 billion to $1.75 billion.
The lawsuit in Union County addresses only property insurance claims. The $1.3 billion in losses that Merck claims includes expenses such as repairing its computer networks and the costs of business that was interrupted by the attack. Units of Chubb Ltd., Allianz, and other insurers have denied coverage on grounds that NotPetya was a “hostile or warlike” act or an act of terrorism, which are explicitly excluded by their policies.
As far as Merck is concerned, it was struck not by any of those excluded acts, but by a cyber event. “The ‘war’ and ‘terrorism’ exclusions do not, on their face, apply to losses caused by network interruption events such as NotPetya,” the company’s lawyers wrote in an Aug. 1 filing. “They do not mention cyber events, networks, computers, data, coding, or software.”
Lawyers for both sides declined to comment for this story. Merck declined to comment on the hack or the lawsuit beyond its public filings. Addressing the broader issue, Merck chief financial officer Robert Davis says: “We continue to make sure we fully invest to protect ourselves against the cyberthreats we see.” He didn’t disclose how much Merck spends on cybersecurity.
Nation-states for years have been developing digital tools to create chaos in time of war: computer code that can shut down ports, tangle land transportation networks, and bring down the electrical grid. But increasingly those tools are being used in forms of conflict that defy categorization, including the 2014 attack that exposed emails and destroyed computers at Sony Pictures Entertainment Inc. The U.S. government blamed that attack on North Korea. Sony settled claims by ex-employees.
In the Merck lawsuit, the insurers may well see an opportunity to prove that war exclusions should apply. Fighting in eastern Ukraine between Russian-backed separatist forces and Ukraine’s military has killed thousands.
“The insurers are confident that there is evidence to demonstrate attribution of NotPetya to the Russian military,” Philip Silverberg, a lead lawyer for the insurers, wrote to Judge Mega on Sept. 11.
To get it, the insurers will lean on the work of computer forensic experts who have analyzed NotPetya and may be able to testify that it bears the hallmarks of a Russian military operation. That analysis is complicated, because attackers often mask identities and can mislead investigators. The insurers may get a little help from the Trump administration. In its February 2018 statement, the White House said NotPetya “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”
“When the president of the United States comes out and says, ‘It’s Russia,’ it’s going to be hard to fight,” says Jake Williams, a former National Security Agency hacker who now helps companies hunt for vulnerabilities in their computer networks. “I’ll be surprised if the insurance companies don’t get a win. This is as solid a case as they’re going to get.”
In addition, the insurers are likely to probe whether Merck did as much as it could to defend itself against a NotPetya-like attack: Was the company, for example, vigilant in updating its computer software?
In any event, the attack that ricocheted around the world on June 27, 2017, was “the closest thing we’ve seen” to a cyber catastrophe, warns Marcello Antonucci, global cyber and technology claims team leader at the insurer Beazley PLC. “NotPetya was a wake-up call for everybody.”