Content, Breach, Ransomware

Merck’s NotPetya $275 Million Loss Could Prompt Rise in Cyber Insurance

Maybe you’re curious about how much last June’s global NotPetya ransomware attacks cost some of the hardest hit companies? Here’s one data point: A recent estimate by Verisk Analytics’ Property Claim Services (via Reuters) put the figure at a whopping $275 million for insurers covering U.S. pharmaceutical giant Merck’s loss.

Merck hasn't said how much the cyber attack actually cost the $40 billion company, which turned a $5.7 billion profit in 2016, in uninsured losses. If Verisk’s figures (the Jersey City, N.J. firm is a data analytics risk assessment specialist) are within reason, the $275 million downside amounts to .7 percent of last year’s revenue and slightly less than five percent of its net income. Neither number need be off-handedly dismissed owing to Merck’s size.

“Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” a Merck spokeswoman told Reuters. Merck’s insurance will cover some costs, the spokesperson said, but provided no figures on how much will remain after a settlement is reached.

Merck, in an initial assessment of the damages last July, said its operations had been disrupted and warned some of its drug supply could be delayed. Will a percentage of its losses end up in higher consumer prices, an as yet undiscussed reverberation of NonPetya? We'll just have to wait to see on that one.

(Unrelated side note: Merck said recently that it will cut 1,800 sales jobs in a retrenching of its U.S. sales teams and add some 960 jobs to a new chronic care sales force.)

Merck may serve as a cautionary example for what could prompt an uptick in cyber security insurance purchases by large companies. Danish insurer Tryg believes that up to 90 percent of its corporate customers will purchase cyber crime insurance within five years, according to a separate Reuters report.

Following the launch of a new data recovery and business continuity (DR/BC) services at the beginning of this year, Tryg has already sold 5,000 cyber crime insurance policies, CEO Morten Hubbe told Reuters.

“There are no corporate clients today that don’t have insurance on their buildings or cars, but I think that within a very few years it will be just as evident that you should insure against cyber crime,” he reportedly said. Hubbe estimated that some 50 percent of the firm’s enterprise clients will buy cyber crime insurance by 2020 and two years later the figure should reach 90 percent.

Verisk has good company among those gauging cyber attack losses. Earlier this year, Lloyd’s of London, which monitors the insurance and reinsurance market, calculated at $53 billion the blow a cyber attack could deliver to the world’s economy, in research jointly delivered with Cyence, a risk modeling firm.

Lloyd’s research is aimed at insurers who write cyber policies to apply some numbers to quantify risk, pointing to data that estimated 2016's cyber attacks cost businesses up to $450 billion annually.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.