NotPetya ransomware cost Merck & Co more than $300 Mn per quarter
Brief about Merck & Co, Inc
Merck & Co, Inc is an American pharmaceutical company and one of the largest pharmaceutical companies in the world.
Headquarters – Kenilworth, New Jersey, United States
No of employees – 70,000 plus
Revenue – US$ 40 billion plus
Cyber attack – NotPetya ransomware
Petya & NotPetya are two malwares that affected almost all sectors in various countries in 2016 & 2017, respectively. Both malwares aim to encrypt the hard drive of infected computers. But, NotPetya is considered more dangerous as it has potential to spread and infect computers and also, it is understood as a state sponsored Russian cyber attack.
NotPetya ransomware’s effect on Merck & Co, Inc
According to new report (dated – 27th June, 2017) Merck & Co, Inc’s ability to supply its products got affected due to malware attack commonly known as “NotPetya”. Company’s e-mails were disabled, 70,000 employees were forbidden from touching their computers.
Merck has provided more detail about this attack. It stated that company has experienced a network cyber-attack that disrupted its worldwide operations, including manufacturing, research and sales operations. Further, the company said the attack had a $260 million impact on sales, $330 million impact on marketing and administrative expenses and production costs, and a $200 million impact on 2018 sales through residual backlog. Most operations were restored within six months.[1]
Besides loss of revenue (Business interruption) to Merck & Co. Inc, customers of Merck also got affected as manufacturing disruption resulted in shortage of product supply to customers. Although there is no evidence that disruption has created any risk to patients, it certainly raises concern.
One obvious effect was on its star HPV vaccine, which fell 22% and missed sales expectations by $100 million. On top of that, unable to produce enough Gardasil to meet demand; it was forced to borrow doses from the CDC’s stockpile to fulfil orders.[2]
Cyber Insurance as solution for incidences similar to one’s faced by Merck & Co, Inc–
Cyber Insurance policy is designed to pay various expenses for pre-loss prevention and post loss services. It also pays for damages awarded against Insured, along with defense cost incurred in defending claims.
1) Business Interruption – net profit loss cover
Because of Cyber incidence Insured may not be able to conduct normal operation which may last for weeks and few months. Business loss is major threat to Insured as it has direct and major impact on net profit of Insured.
Cyber Insurance policy provides cover for loss of net profit after cyber incident subject to excess (usually 12hrs or 24hrs waiting period as excess) till restoration of normal business operations.
2) Cyber Incident Response cover –
As part of response to cyber incidence, following expert teams may be required –
- Cyber Forensic expert team – for cyber forensic investigation
- PR agencies – for public relation consulting
- Legal requirements – to defend Insured in Court of Law from claim brought by customers and other parties
- Credit monitoring services – required to track customer’s critical documents to ensure documents are not misused.
Cyber Insurance Policy covers reasonable expenses and fees charges by these response teams.
3) System damage & rectification / Post-Breach Remediation Costs/Restoration cost cover – Cyber Insurance Policy will pay reasonable expenses of rectification of systems as well as restoration of data.
4) Digital Media Liability – Defamation or Intellectual property rights infringement – Cyber Insurance Policy pays for defense cost and damages awarded in defamation suits and IPR related suits (relating to or arising from cyber incidence) from customers.
Other major covers available under Cyber Insurance are –
- Cyber extortion & ransoms cover
- Computer fraud & Funds transfer fraud cover
- Outsource service providers cover, etc.
Underwriting Information
Duly filled proposal form or application form is required to underwrite the Cyber Insurance Policy. Important information which are reviewed by Insurer to underwrite Cyber Insurance policy are –
- Business activity
- Detail of Gross online revenue for 3 years of Insured
- Geographical spread of Insured
- No of IP Addresses & active ID address of Insured
- Data Protection Policy of Insured
- IT Security plan
- DDoS attack preparedness by Insured etc.
Indicative Premium for Limit of Liability (SI) is mentioned as below-
| Limit of Liability | Premium |
| INR 5 Cr | INR 5 Lakh |
| INR 10 Cr | INR 8 Lakh |
| INR 20 Cr | INR 12 Lakh |
| INR 50 Cr | INR 23 Lakh |
-Warm Regards
Beacon Insurance Brokers Pvt Ltd
[1] News Link – https://www.fiercepharma.com/manufacturing/merck-has-hardened-its-defenses-against-cyber-attacks-like-one-last-year-cost-it
[2] News Link – https://www.fiercepharma.com/manufacturing/merck-says-its-has-restored-most-its-manufacturing-hit-by-cyber-attack