By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.
It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.
The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.
NotPetya’s impact on Merck that day—June 27, 2017—and for weeks afterward was devastating. Dellapena, a temporary employee, couldn’t dig into her fact-checking work. Interns and temps bided their time at their desks before some of them were sent home a week later. Some employees gossiped, their screens dark. Others watched videos on their phones.
In all, the attack crippled more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of work. Near Dellapena’s suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. “For two weeks, there was nothing being done,” Dellapena recalls. “Merck is huge. It seemed crazy that something like this could happen.”
As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations— even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.
NotPetya spread. It hopped from computer to computer, from country to country. It hit FedEx, the shipping giant Maersk, the global confectioner Mondelez International, the advertising firm WPP, and hundreds of other companies. All in all, the White House said in a statement afterward, it was the “most destructive and costly cyberattack in history.”
By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damages. Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million. (The Centers for Disease Control and Prevention say the stockpile’s ability to deliver medicine wasn’t affected.)
Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered—after a $150 million deductible—to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.
Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.
In a world where a hacker can cause more damage than a gunship, the dispute playing out in a New Jersey courtroom will have far-reaching consequences for victims of cyberattacks and the insurance companies that will or will not protect them. Until recently, the big worry associated with cyberattacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.
As the nascent cyber insurance market has grown, so has skepticism about pricing digital risk at all. Few people understand risk as well as Warren Buffett, who’s built conglomerate Berkshire Hathaway Inc.—and one of the world’s biggest personal fortunes—on the back of insurance companies such as Geico and National Indemnity Co. “Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber,” he told investors in 2018. Anyone who says they have a firm grasp on this kind of risk, he said, “is kidding themselves.”
Those who could be on the receiving end of cyberattacks don’t underestimate the peril. Asked in September what kept him up at night, BP Plc Chief Executive Officer Bob Dudley said that aside from the transition away from fossil fuels, the threat of a catastrophic cyberattack worried him most. “It’s the one that you can have the least control of,” Dudley said on a call with investors. “That one keeps me awake at night.”
The depths of these concerns show why the fight between Merck and its insurers is not only about what happened on a summer’s day in 2017. It’s about what companies and their insurers fear lurks over the horizon.
UNION COUNTY’S IMPOSING 17-story neoclassical courthouse in Elizabeth, N.J., is a 15-minute drive from Merck’s global headquarters in Kenilworth. It’s also relatively conveniently located for the phalanxes of East Coast lawyers, from firms such as Covington & Burling and Steptoe & Johnson, who come here to do battle over the Merck case.
Their numbers are growing. One Monday in November, a dozen dark-suited lawyers filed into Judge Robert Mega’s 14th-floor courtroom. They were there to discuss pro hac vice (“for this time only”) applications to allow five additional colleagues to practice temporarily in New Jersey.
Continue reading your story on the app
Continue reading your story in the magazine
If You Want to Know What Stock Is Set To Skyrocket, There Are Options
WHAT DO NIKE INC., Raven Industries, and Fortinet Inc. have in common? They exemplify the predictive capacities the options market offers: Recent stock price spikes were preceded by certain telltale signs in the options market, according to data compiled by Bloomberg. Use the terminal to generate ideas for enhancing your portfolio and profit from ever-changing option trading trends.
How Are You Doing? AID Provides the Answers
“HOW’M I DOING?” That’s a question asset managers, sales professionals, and all of us, for that matter, ask daily.
Volatile Markets Reveal Interesting Credit Opportunities in Energy
OIL ROSE ALMOST 50% from the end of October 2020 through mid-January.
Colonies of Retail-Investor ‘Ants' March On Korea's Stock Market
IN LATE JULY, 70-year-old Kim Kyung-rok began frantically sifting through his long-dormant stock brokerage account.
Examine How Market Upheaval Is Affecting Company Results
The coronavirus pandemic sent huge waves of volatility through markets in 2020. How did that affect the financial results of companies that interest you?
Get the Insider Scoop at Newly Public Health-Care Companies
Last year was a good year for at least one thing: initial public offerings in the U.S. With the frenzy of listings of special purpose acquisition companies, or SPACs, IPOs raised a total of $154 billion in 2020. That total was by far the largest of the past 10 years, and more than double the total from 2019, according to data compiled by Bloomberg.
“I've Had to Think Differently”
IN SEPTEMBER, Jane Fraser shattered the financial industry’s ultimate glass ceiling when she was named the next chief executive officer of Citigroup Inc., one of the world’s three most important banks.
Yoyo Chang turned a hunch born in an English high school cafeteria into a next-generation payments app backed by serious, well-heeled investors
The Fintech Revolution Is Finally Here— And So Are the Regulators
SPEAKING IN OCTOBER to his banking brethren at the world’s biggest payments confab—the annual Sibos conference— Jamie Dimon didn’t mince words.
China’s entry into the WTO upended global manufacturing. Now it’s poised to disrupt the financial system— and the consequences could be just as dramatic and surprising