One year on from what is already the largest loss in cyber liability history, insurers on US pharmaceutical firm Merck’s vast $1.75bn property tower are still waiting on a formal loss notification.

If it comes, that notification could possibly lead to disputes over coverage and increase the potential for insured losses to increase further after last year’s 27 June NotPetya attack.

largest insured cyber events

Today marks the one year anniversary of the massive attack, which remains - by some distance - the largest insured cyber loss in the industry’s relative-short history (see chart).

According to the loss calculation service PCS, the attack will - as it stands - cost the industry $275mn which equates to the size of Merck’s dedicated cyber tower, sources say.

But given the scale of business interruption suffered by Merck and the size of its separate property tower - where the wordings are not thought to exclude cyber - the prospect of up to $1bn of cyber-related losses from a single event still remains a possibility.

In its 2017 annual 10-K filing, Merck disclosed losses of up to $915mn from the attack to cover the cost of undoing the damage and dealing with a backlog of unfulfilled orders.

The firm said that after receiving around $45mn in insurance recoveries, it had still recorded $285mn of manufacturing-related expenses in 2017. Other costs include lost sales since the attack (see table).

The extent of the liability facing insurers on the property tower will ultimately depend on their individual policy wordings, which are understood to vary significantly and could lead to coverage disputes.

Indeed, in its 2017 accounts, the pharmaceutical company said it had “insurance coverage against costs resulting from cyber-attacks and has received proceeds.

“However,” it went on, “there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident”.

According to sources, while property insurers have been notified of a potential loss exposure, no formal loss submission has been provided to carriers on the property tower.

Nonetheless, there have been informal discussion between placing broker Aon, Merck’s property insurers and those carriers’ own reinsurers, understands.

AIG is one of the insurers on the property program and is widely understood to have a circa $200mn exposure to the placement. Zurich is also thought to have a similar participation and Liberty has a $100mn line, according to sources.

FM Global, another market on the program, is thought to have tighter coverage wordings, according to one well-placed source.

One underwriter stressed that there is still much uncertainty about the size of the potential loss, considering the complications of business interruption claims.

If a formal loss notification to property insurers occurs - as many expect - it will once again ignite the debate on the industry’s exposure to non-affirmative or silent cyber cover.

It may also seep into the reinsurance markets. For example, AIG’s per risk reinsurance program is understood to attach at $125mn and the language is described as a typical “follow the fortunes” cover which would imply its reinsurers would be liable if AIG’s limit is exhausted.

AIG’s reinsurance broker, Guy Carpenter, declined to comment on whether they have notified AIG’s reinsurers of a potential loss exposure.

AIG and Aon also declined to comment. Merck, Zurich, Liberty and FM Global did not respond to a request for comment.

In June last year, Merck was hit by the cyber attack, which it disrupted its worldwide operations, including manufacturing, research and sales operations.

By the end of July, the company said it was in the process of restoring its manufacturing operations, while its formulation operations were partially restored and its packaging operations were largely back online.

An estimated 70,000 employees were forbidden from accessing their computers and company emails were disabled.

Merck’s NotPetya cost broken down:

$260mn: Negative impact on 2017 sales

$330mn ($285mn net of $45mn): Marketing and admin expenses, production costs

$200mn: Impact on 2018 sales through residual backlog

$125mn: Reduction in sales through inability to meet demand for Gardasil 9