In 2017, Merck lost an& eye-popping $1.3 billion when it got caught in the crossfire of a Russian cyberattack targeting Ukraine. The event, later dubbed NotPetya, was the largest cyberattack in history, costing $10 billion worldwide — economic damage akin to a medium-sized hurricane, or a small war. Western governments vowed to hold Russia accountable, yet none stepped forward to support the companies that were hit by the attack.
Insurance was more helpful — to a point. The insurance industry sells policies specifically designed for cyber incidents, but their scope and scale remain limited. Cyber insurance paid for just 3% of NotPetya’s global damage, leading some NotPetya victims to turn to other insurance policies with more ambiguous terms. For example, Merck invoked property and casualty policies that covered all manner of hazards without explicitly mentioning cyber incidents. These policies had so-called “war exclusions,” which barred coverage for damages due to “hostile or warlike actions” by governments or their agents. Many insurers cited these clauses to push back on the claims, triggering high-stakes legal battles that continue to this day.