Asymmetric Warfare
Bloomberg Markets|December 2019 - January 2020
Asymmetric Warfare
In a world where a keyboard can cause more damage than a gunship, a corporate cyber attack victim and its insurers have gone to court to figure out what’s covered and what’s not
By David Voreacos, Katherine Chiglinsky, and Riley Griffin

By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.

It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.

The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.

NotPetya’s impact on Merck that day—June 27, 2017—and for weeks afterward was devastating. Dellapena, a temporary employee, couldn’t dig into her fact-checking work. Interns and temps bided their time at their desks before some of them were sent home a week later. Some employees gossiped, their screens dark. Others watched videos on their phones.

In all, the attack crippled more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of work. Near Dellapena’s suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. “For two weeks, there was nothing being done,” Dellapena recalls. “Merck is huge. It seemed crazy that something like this could happen.”

As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations— even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.

NotPetya spread. It hopped from computer to computer, from country to country. It hit FedEx, the shipping giant Maersk, the global confectioner Mondelez International, the advertising firm WPP, and hundreds of other companies. All in all, the White House said in a statement afterward, it was the “most destructive and costly cyberattack in history.”

By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damages. Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million. (The Centers for Disease Control and Prevention say the stockpile’s ability to deliver medicine wasn’t affected.)

Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered—after a $150 million deductible—to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.

Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.

In a world where a hacker can cause more damage than a gunship, the dispute playing out in a New Jersey courtroom will have far-reaching consequences for victims of cyberattacks and the insurance companies that will or will not protect them. Until recently, the big worry associated with cyberattacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.

As the nascent cyber insurance market has grown, so has skepticism about pricing digital risk at all. Few people understand risk as well as Warren Buffett, who’s built conglomerate Berkshire Hathaway Inc.—and one of the world’s biggest personal fortunes—on the back of insurance companies such as Geico and National Indemnity Co. “Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber,” he told investors in 2018. Anyone who says they have a firm grasp on this kind of risk, he said, “is kidding themselves.”

Those who could be on the receiving end of cyberattacks don’t underestimate the peril. Asked in September what kept him up at night, BP Plc Chief Executive Officer Bob Dudley said that aside from the transition away from fossil fuels, the threat of a catastrophic cyberattack worried him most. “It’s the one that you can have the least control of,” Dudley said on a call with investors. “That one keeps me awake at night.”

The depths of these concerns show why the fight between Merck and its insurers is not only about what happened on a summer’s day in 2017. It’s about what companies and their insurers fear lurks over the horizon.

UNION COUNTY’S IMPOSING 17-story neoclassical courthouse in Elizabeth, N.J., is a 15-minute drive from Merck’s global headquarters in Kenilworth. It’s also relatively conveniently located for the phalanxes of East Coast lawyers, from firms such as Covington & Burling and Steptoe & Johnson, who come here to do battle over the Merck case.

Their numbers are growing. One Monday in November, a dozen dark-suited lawyers filed into Judge Robert Mega’s 14th-floor courtroom. They were there to discuss pro hac vice (“for this time only”) applications to allow five additional colleagues to practice temporarily in New Jersey.


You can read up to 3 premium stories before you subscribe to Magzter GOLD

Log in, if you are already a subscriber


Get unlimited access to thousands of curated premium stories, newspapers and 5,000+ magazines


December 2019 - January 2020