MRK - Merck & Co., Inc.
| Previous close | 88.85 |
| Open | 88.90 |
| Bid | 0.00 x 1800 |
| Ask | 0.00 x 1000 |
| Day's range | 88.20 - 89.00 |
| 52-week range | 70.89 - 89.24 |
| Volume | 5735126 |
| Avg. volume | 8,355,342 |
| Market cap | 226B |
| Beta (3Y monthly) | 0.53 |
| PE ratio (TTM) | 24.79 |
| EPS (TTM) | 3.58 |
| Earnings date | 5 Feb 2020 |
| Forward dividend & yield | 2.44 (2.75%) |
| Ex-dividend date | 2019-12-13 |
| 1y target est | 97.56 |
- Bloomberg
Merck Cyberattack Raises $1.3 Billion Legal Question
Dec.03 -- A legal dispute between the Merck & Co. and its insurers could determine who pays for cyber damage. Bloomberg's David Voreacos has more on "Bloomberg Markets."
- Bloomberg
Drug Giants Pay Hefty Premiums as Cancer-Drug Race Heats Up
(Bloomberg) -- Two of the world’s biggest pharmaceutical companies agreed to pay substantial premiums to acquire smaller cancer-drug makers, underlining the eagerness of the drug giants to add promising treatments to their oncology pipelines.In separate deals announced Monday, Merck & Co. agreed to buy ArQule Inc., which is developing drugs known as kinase inhibitors, for $2.7 billion, while French drug giant Sanofi agreed to buy Synthorx Inc., a maker of therapies that harness the immune system to fight tumors, for $2.5 billion.Both proposed transactions come with hefty price tags. In the ArQule deal, Merck will make a tender offer of $20 a share, more than double the smaller company’s closing price Friday. And in its deal for Synthorx, Sanofi agreed to pay nearly three times its target’s market value.Shares of ArQule more than doubled to $19.63 at 10:14 a.m. in New York, while Synthorx shares surged to $67.39, well above their Friday closing mark of $25.03.The substantial prices show that pharmaceutical giants are feeling increasingly pressed to pay up for companies that can restock their inventory of new drugs. For some time, drugmakers had balked at the lofty valuations of some publicly traded biotechnology companies.Merck Chief Marketing Officer Michael Nally, who is seen as a potential candidate to replace Chief Executive Officer Kenneth Frazier, said at a conference last week that the company doesn’t have an appetite for mega-deals, but would likely focus on transactions under $10 billion.Despite increasingly high premiums, “we’re not driven by the price of a deal,” Nally said. “We’re trying to find those spots where there’s those value-creating opportunities, and we look at everything. We’re not confined to a therapeutic area. We’re not confined to a size.”A persistent rally in biotech stocks could be forcing drugmakers to get off the sidelines before prices for appealing takeover targets climb even higher. The Nasdaq Biotechnology Index has surged some 24% this year.Deals like those unveiled Monday are likely to spur more gains in the sector, which is highly sensitive to takeover trends.Also on Monday, shares of XBiotech Inc. jumped 85% after Janssen Biotech Inc., a unit of Johnson & Johnson’s Janssen Pharmaceutical Co., agreed Saturday to buy rights to the company’s bermekimab, a potential treatment for colorectal cancer, for $750 million in cash.More CompetitionMerck already markets one of the world’s biggest-selling cancer treatments, the immunotherapy Keytruda, but like other large pharmaceutical companies, it has been searching for ways to expand its oncology offerings. Keytruda, which had 2018 sales of more than $7 billion, is expected to face increased competition in coming years.“We’ve been very committed to using Keytruda as our cornerstone--a foundational component to many therapies--while adding on additional targets,” Roy Baynes, senior vice president and head of global clinical development for Merck Research Laboratories, said in an interview. “As we diversify our oncology platform, I think we’ll follow the science more than targeting specific areas of disease.”ArQule, based in Woburn, Massachusetts, is focused on kinase inhibitor discovery. Its lead drug candidate, ARQ-531, is currently being studied in patients with a range of blood cancers. The drug will compete with a promising asset Eli Lilly & Co. acquired through its $8 billion purchase of Loxo Oncology in January, which jump-started a year of deals for new cancer compounds.“We were intrigued by the work that ArQule and others have been doing in this competitive space,” Baynes said. “The science has come to a moment in time where it looks very compelling. That was the driver moving ahead. Though the company has a number of other assets and a productive discovery engine, ARQ-531 is front and center.”In the past, Merck executives had signaled that high prices for biotech companies had been an impediment to getting deals done. But recently, the company has been more open to doing deals, and willing to pay more. Earlier this year, it spent $5.1 billion to buy the cancer-drug maker Peloton Therapeutics a day before the company was set to debut on the stock market.“We continue to think there is much more consolidation on the horizon” given the needs of drugmakers to beef up their pipelines, said Jared Holz, a health-care equity strategist at Jefferies LLC, in a note to clients.BofA Securities acted as financial adviser to Merck on the deal, and Covington & Burling was its legal counsel. Centerview Partners was financial adviser and Skadden, Arps, Slate, Meagher & Flom was legal adviser to ArQule.The transaction is expected to close early in the first quarter of 2020.Sanofi ShiftAt Sanofi, new Chief Executive Officer Paul Hudson is moving to put his stamp on the Paris-based drugmaker. The deal for La Jolla, California-based Synthorx underscores its efforts to build its portfolio of innovative therapies in a fast-growing and lucrative market. The purchase marks Sanofi’s first multibillion acquisition since early 2018.On Tuesday, Hudson is expected to lay out his pipeline and acquisition priorities, along with his initial plans for the consumer-health, diabetes and other units.Investors are counting on Hudson to fire up Sanofi’s research operations and step up the search for novel products to reduce its reliance on Dupixent, a standout medicine for severe eczema and asthma. Hudson, the former pharma head at Novartis AG, is credited with launching key medicines at his previous job before becoming CEO of Sanofi in September.Synthorx’s main drug, known as THOR-707, is being explored as a treatment for multiple types of solid tumors, together with immune checkpoint inhibitors and other future combinations.Morgan Stanley advised Sanofi, which used Weil, Gotshal & Manges as its law firm. Synthorx’s advisers were Centerview Partners LLC and Cooley LLP.(Updates stock-price information in fourth paragraph, adds quotes from executives throughout)\--With assistance from Cristin Flanagan and Ben Scent.To contact the reporters on this story: Riley Griffin in New York at rgriffin42@bloomberg.net;James Paton in London at jpaton4@bloomberg.netTo contact the editors responsible for this story: Drew Armstrong at darmstrong17@bloomberg.net, ;Eric Pfanner at epfanner1@bloomberg.net, Timothy Annett, Mark SchoifetFor more articles like this, please visit us at bloomberg.com©2019 Bloomberg L.P.
- Zacks
Merger Monday, Biotech Edition: MRK, SNY, ARQL, THOR & More
Large-cap pharmaceutical companies are putting their assets to work in the biotech space, particularly in cancer treatment (oncology).
- Zacks
Bristol-Myers' (BMY) Lymphoma Drug Meets Goals in Key Study
Bristol-Myers' (BMY) TRANSCEND NHL 001 study on CAR T-cell therapy drug meets endpoints.
- Investing.com
Stocks - Canopy Growth, ArQule Rise in Premarket; Microsoft Edges Lower
Investing.com -- Stocks in focus in premarket trade on Monday, 9th December.
- Zacks
Amgen Gets FDA Approval for J&J/Merck's Remicade Biosimilar
FDA gives nod to Amgen's (AMGN) Avsola (ABP 710), a biosimilar of J&J's blockbuster rheumatoid arthritis drug, Remicade.
- Reuters - UK Focus
US STOCKS-Wall St set to drop after weak Chinese data; Tariff deadline looms
U.S. stocks were set to open lower on Monday as weak data from China brought back fears of a slowdown in the world's second-biggest economy, while investors looked for any positive news on trade talks ahead of a tariff deadline later in the week. China's exports in November shrank for the fourth consecutive month, underscoring persistent pressures on manufacturers from the Sino-U.S. war, but growth in imports may be a sign that Beijing's stimulus steps are helping to stoke demand. In a quiet start to the week, market participants are expected to keep a close watch on trade as planned U.S. tariffs on Chinese imports kick in on Dec. 15 that will cover several consumer products, including mobile phones and toys.
- Simply Wall St.
Three Things You Should Check Before Buying Merck & Co., Inc. (NYSE:MRK) For Its Dividend
Is Merck & Co., Inc. (NYSE:MRK) a good dividend stock? How can we tell? Dividend paying companies with growing...
- Business Wire
Merck to Acquire ArQule, Advancing Leadership in Oncology
Merck to Acquire ArQule, Advancing Leadership in Oncology
- Zacks
Pharma Stock Roundup: FDA Updates for RHHBY, AZN, MRK, No Asbestos in Talc Says JNJ
The FDA approves Roche's (RHHBY) Tecentriq for expanded use. It grants priority review status to AstraZeneca (AZN) & Merck's (MRK) supplemental applications.
- Zacks
AstraZeneca's Lynparza Gets China Nod in First-Line Setting
AstraZeneca's (AZN) Lynparza receives approval in China for first-line maintenance treatment of advanced ovarian cancer with BRCA-mutation.
- Zacks
Bristol-Myers' Orencia Gets Breakthrough Therapy Tag for GvHD
The FDA grants Breakthrough Therapy designation to Bristol-Myers Squibb's (BMY) Orencia for the prevention of moderate-to-severe acute GvHD in hematopoietic SCT from unrelated donors.
- Zacks
J&J Stock Witnesses Volatility in '19: What to Expect in 2020
Here we discuss the ups and downs of J&J's (JNJ) stock this year.
- Business Wire
LYNPARZA® (olaparib) Approved in China as a First-Line Maintenance Therapy in BRCA-Mutated (BRCAm) Advanced Ovarian Cancer
LYNPARZA® (olaparib) Approved in China as a First-Line Maintenance Therapy in BRCA-Mutated (BRCAm) Advanced Ovarian Cancer
- Reuters
AstraZeneca-Merck Lynparza wins approval in China for ovarian cancer treatment
The approval in China is based on the results from a late-stage study in which Lynparza lowered the risk of disease progression or death by 70% when compared to placebo. Lynparza is currently approved in 65 countries for the maintenance treatment of platinum-sensitive relapsed ovarian cancer, the companies said.
- Reuters - UK Focus
REFILE-AstraZeneca-Merck Lynparza wins approval in China for ovarian cancer treatment
AstraZeneca Plc and Merck & Co Inc said on Thursday that their drug, Lynparza, won approval in China as a first line treatment for a form of ovarian cancer. The approval in China is based on the results from a late-stage study in which Lynparza lowered the risk of disease progression or death by 70% when compared to placebo. Lynparza is currently approved in 65 countries for the maintenance treatment of platinum-sensitive relapsed ovarian cancer, the companies said.
- Zacks
Bristol-Myers' Reblozyl to be Reviewed by FDA Committee
Bristol-Myers (BMY) and Acceleron Pharma Inc.'s sBLA for Reblozyl in patients with myelodysplastic syndromes will be reviewed by the FDA's Oncologic Drugs Advisory Committee.
- Zacks
Biotech Stock Roundup: Pipeline Updates From BIIB, AXSM, CARA, Collaborations & More
Key highlights of the past week include regulatory and pipeline updates along with collaboration deals.
- Zacks
Roche's Tecentriq-Chemo Combo Gets FDA Nod in First-Line NSCLC
Roche (RHHBY) obtains FDA approval for Tecentriq in combination with chemotherapy for the first-line treatment of adults with metastatic NSCLC.
- Zacks
Pfizer/Astellas Xtandi Gets Nod in China for Prostate Cancer (Revised)
Pfizer (PFE)/Astellas' Xtandi gets approval in China to treat metastatic castration-resistant prostate cancer (CRPC).
- Bloomberg
Merck Cyberattack’s $1.3 Billion Question: Was It an Act of War?
(Bloomberg Markets) -- By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.“For two weeks, there was nothing being done. Merck is huge. It seemed crazy that something like this could happen”NotPetya’s impact on Merck that day—June 27, 2017—and for weeks afterward was devastating. Dellapena, a temporary employee, couldn’t dig into her fact-checking work. Interns and temps bided their time at their desks before some of them were sent home a week later. Some employees gossiped, their screens dark. Others watched videos on their phones.In all, the attack crippled more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of work. Near Dellapena’s suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. “For two weeks, there was nothing being done,” Dellapena recalls. “Merck is huge. It seemed crazy that something like this could happen.”As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations—even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.NotPetya spread. It hopped from computer to computer, from country to country. It hit FedEx, the shipping giant Maersk, the global confectioner Mondelēz International, the advertising firm WPP, and hundreds of other companies. All in all, the White House said in a statement afterward, it was the “most destructive and costly cyberattack in history.” By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damages. Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million. (The Centers for Disease Control and Prevention say the stockpile’s ability to deliver medicine wasn’t affected.)Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered—after a $150 million deductible—to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.In a world where a hacker can cause more damage than a gunship, the dispute playing out in a New Jersey courtroom will have far-reaching consequences for victims of cyberattacks and the insurance companies that will or will not protect them. Until recently, the big worry associated with cyberattacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.As the nascent cyber insurance market has grown, so has skepticism about pricing digital risk at all. Few people understand risk as well as Warren Buffett, who’s built conglomerate Berkshire Hathaway Inc.—and one of the world’s biggest personal fortunes—on the back of insurance companies such as Geico and National Indemnity Co. “Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber,” he told investors in 2018. Anyone who says they have a firm grasp on this kind of risk, he said, “is kidding themselves.”Those who could be on the receiving end of cyberattacks don’t underestimate the peril. Asked in September what kept him up at night, BP Plc Chief Executive Officer Bob Dudley said that aside from the transition away from fossil fuels, the threat of a catastrophic cyberattack worried him most. “It’s the one that you can have the least control of,” Dudley said on a call with investors. “That one keeps me awake at night.”The depths of these concerns show why the fight between Merck and its insurers is not only about what happened on a summer’s day in 2017. It’s about what companies and their insurers fear lurks over the horizon.Union County’s imposing 17-story neoclassical courthouse in Elizabeth, N.J., is a 15-minute drive from Merck’s global headquarters in Kenilworth. It’s also relatively conveniently located for the phalanxes of East Coast lawyers, from firms such as Covington & Burling and Steptoe & Johnson, who come here to do battle over the Merck case.Their numbers are growing. One Monday in November, a dozen dark-suited lawyers filed into Judge Robert Mega’s 14th-floor courtroom. They were there to discuss pro hac vice (“for this time only”) applications to allow five additional colleagues to practice temporarily in New Jersey.Merck has already collected on some property insurance policies that specify coverage for cyberdamage while also settling with two defendants in the lawsuit for undisclosed amounts. One that settled, syndicate No. 382 at the insurance marketplace Lloyd’s of London Ltd., was in a group that covered losses only if they ranged from $1.15 billion to $1.75 billion. A spokesman for CNA Financial Corp., which is tied to the syndicate, declined to comment.The lawsuit in Union County addresses only property insurance claims. The $1.3 billion in losses that Merck claims includes expenses such as repairing its computer networks and the costs of business that was interrupted by the attack. Units of Chubb Ltd., Allianz, and other insurers have denied coverage on grounds that NotPetya was a “hostile or warlike” act or an act of terrorism, which are explicitly excluded by their policies.As far as Merck is concerned, it was struck not by any of those excluded acts, but by a cyber event. “The ‘war’ and ‘terrorism’ exclusions do not, on their face, apply to losses caused by network interruption events such as NotPetya,” the company’s lawyers wrote in an Aug. 1 filing. “They do not mention cyber events, networks, computers, data, coding, or software; nor do they contain any other language suggesting an intention to exclude coverage for cyber events.” Lawyers for the insurance companies declined to comment for this story, as did Merck’s attorneys. Merck declined to comment on the hack or the lawsuit beyond what’s in their public filings. Addressing the broader issue, Merck Chief Financial Officer Robert Davis says, “We continue to make sure we fully invest to protect ourselves against the cyberthreats we see.” He didn’t disclose how much Merck spends on cybersecurity.The courts in the U.S. struggled with these matters long before cyber came along. Even under clearer circumstances—as when the Japanese bombed Pearl Harbor on Dec. 7, 1941—lawsuits between insurers and victims over similar exclusions tied U.S. courts in knots. In cases involving life insurance payouts after Pearl Harbor, courts in different parts of the country split, with some judges ruling that the exclusions didn’t apply and other judges saying they did.The NotPetya attack will catapult the U.S. legal system into even murkier terrain. Nation-states for years have been developing digital tools to create chaos in time of war: computer code that can shut down ports, tangle land transportation networks, and bring down the electrical grid. But increasingly those tools are being used in forms of conflict that defy categorization, including the 2014 attack that exposed emails and destroyed computers at Sony Pictures Entertainment Inc. The U.S. government blamed that attack on North Korea. Sony settled claims by ex-employees.In the Merck lawsuit, the insurers may well see an opportunity to test their legal theories and find out if they can meet their burden of proving that war exclusions should apply. Fighting in eastern Ukraine between Russian-backed separatist forces and Ukraine’s military has killed thousands. Speaking about NotPetya, Olga Oliker, a senior adviser to the Washington-based Center for Strategic and International Studies, said in testimony before the U.S. Senate in March 2017, “If this was, indeed, an orchestrated attack by Russia, it is an example of precisely the type of cyber operation that could be seen as warfare, in that it approximates effects similar to those that might be attained through the use of armed force.”Informed analysis doesn’t equal the evidence insurance companies really want, however. If there is “smoking gun” proof that would be useful to the insurers’ legal arguments, it probably resides out of reach: in classified U.S. or U.K. intelligence assessments that may have been based on intercepted communications and evidence obtained by hacking the attackers’ computers. Even so, Philip Silverberg, a lead lawyer for the insurers, wrote to Judge Mega on Sept. 11, “The insurers are confident that there is evidence to demonstrate attribution of NotPetya to the Russian military.”To get it, the insurers will lean on the work of computer forensic experts who’ve analyzed NotPetya and may be able to testify that it bears the hallmarks of a Russian military operation. That analysis is complicated, because attackers often mask their identities and can mislead investigators. The insurers may get a little help from the Trump administration. In its February 2018 statement, the White House said NotPetya “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”“When the president of the United States comes out and says, ‘It’s Russia,’ it’s going to be hard to fight,” says Jake Williams, a former National Security Agency hacker who now helps companies hunt for vulnerabilities in their computer networks. “I’ll be surprised if the insurance companies don’t get a win. This is as solid a case as they’re going to get.”In addition, the insurers are likely to probe whether Merck did as much as it could to defend itself against a NotPetya-like attack: Was the company, for example, vigilant in updating its computer software?The arguments and counterarguments unfolding in Elizabeth are sometimes arcane and convoluted. But what triggered them is plain to see. The attack that ricocheted around the world on June 27, 2017, was “the closest thing we’ve seen” to a cyber catastrophe, says Marcello Antonucci, global cyber and technology claims team leader at insurer Beazley Plc. “NotPetya was a wake-up call for everybody.”A Decade at WarA new era of cyberattacks to destroy systems or hijack data began with assaults by nation-states that were eventually copied by criminal groups2009 into 2010StuxnetCybersecurity experts blamed this malware for a devastating attack on Iran’s nuclear processing facilities. Stuxnet is widely believed to have been designed by hackers working for the U.S. and Israeli governments.August 2012Saudi Arabian Oil Co. A computer virus that hit Aramco affected at least 30,000 personal computers. The oil giant vowed to fortify its network, with leaders saying at the time that it wasn’t the first attack and likely wouldn’t be the last.February 2014Las Vegas Sands Corp.Hackers attacked Sheldon Adelson’s casino company, gaining control of a website and posting content criticizing the billionaire. James Clapper, who was U.S. director of national intelligence, confirmed in 2015 that Iran was behind the hack.November 2014Sony Pictures Entertainment Inc.Hackers besieged Sony, stealing new movies and debilitating thousands of computers. U.S. government officials attributed the attack to North Korea. In 2018 the U.S. charged a North Korean hacker for crimes stemming from this and the WannaCry hacks.December 2015Ukraine Power GridIn the first known cyberattack on an electricity grid, hackers knocked out power to about 225,000 customers of three Ukrainian companies for several hours. Cybersecurity experts blamed Russia.December 2016Kyiv Power GridCyberattackers shut down power to part of Kyiv for about an hour. Cybersecurity experts blamed the same hackers who struck a year earlier and said the Kyiv incident appeared to be a test run for later strikes.May 2017WannaCryThis ransomware attack crippled parts of Britain’s National Health Service and encrypted hundreds of thousands of computers worldwide. U.S. authorities blamed North Korea.June 2017NotPetyaA computer worm spread from Ukraine to companies around the world, causing billions of dollars in damage. The U.S., the U.K., and other countries later blamed the Russian military.March 2018AtlantaRansomware compromised the city’s computers, causing millions of dollars in losses. The two Iranian hackers who were indicted were separately charged with extorting more than 200 victims, including hospitals, the University of Calgary in Alberta, and the cities of Atlanta and Newark, N.J., over almost three years.March 2019Norsk Hydro ASAA ransomware hack forced Norsk Hydro, a Norwegian aluminum maker, to shut down several of its automated product lines and switch smelters to manual mode.Source: Bloomberg reportingScott Stransky was in elementary school in 1992 when Hurricane Andrew blew through the Bahamas, Florida, and Louisiana, killing more than two dozen people and wrecking tens of thousands of homes. At the time, his family was vacationing in Hawaii, flying out just before the islands were battered by Hurricane Iniki, the worst in the state’s history.Such cataclysmic events do more than take lives, destroy homes, and wreck infrastructure. They cut a path of destruction through the insurance business as well: About a dozen underprepared insurers went out of business in Andrew’s aftermath. Later in life, Stransky, who studied mathematics and atmospheric science at MIT, went to work helping insurers model their exposure to the next Andrew or Iniki.Data obsession crosses into Stransky’s private life. Sitting in his office in downtown Boston, the hiking and travel fanatic rattles off the number of U.S. national park sites he’s visited (399 of 419), interstate borders he’s crossed (96 of 107), and times he’s stood at spots where three U.S. states meet (12 of 38).About six years ago, Stransky decided to turn his skills to cybersecurity. Hacks were getting bigger. The 2013 attack on Target Corp., which exposed the financial or personal data of at least 70 million people, led him to talk to his boss about developing a new form of cybermodeling.Billions of calculations later, Stransky, who turns 36 in December, is vice president and director for emerging risk modeling at AIR Worldwide, a unit of Verisk Analytics Inc. He leads a team—data geeks, Ph.D.s, even a certified ethical hacker who worked at the U.S. Department of Defense—that creates and stress-tests models designed to assess future cybercosts.The tools deployed by the group are especially useful to insurance companies tapping into the lucrative cyber insurance market. The armaments include thousands of insurance claims as well as data from internet sensors that track traffic between corporations and business partners, sniffing out malware or determining if network ports are vulnerable to incursions by outsiders.For companies and their insurers, the numbers are daunting. The cost to businesses and insurers of a single global ransomware attack could hit $193 billion, with 86% of that uninsured, according to a 2019 report from a group that includes Lloyd’s of London. The figure for Andrew’s insured losses alone was an estimated $15 billion. Some estimates of total annual business losses from data breaches rise to more than $5 trillion by 2024. “We’re always looking to simulate what the Hurricane Andrew of cyber would be,” Stransky says. “NotPetya is not even close to the worst-case scenario. It can get much, much worse.”As the Merck case is highlighting, the insurance industry’s exposure to cyberdamage is almost incalculably hard to grasp. The problem isn’t the relatively modest pool of cyberpolicies that insurers are writing; they amounted in the U.S. to $3.6 billion in premiums in 2018, according to the National Association of Insurance Commissioners. The bigger worry is that cyberattacks could spill over into the vastly deeper pool of property casualty policies that insurers wrote in the U.S. in 2018—$621 billion worth in all.Buffett’s notion—that experts like Stransky are “kidding themselves”—nags at Stransky. Cyber events are in important ways not like weather events. There’s far less data because companies often hide what happens to them or downplay the damage. Furthermore, hacks and the defenses against them are not governed by ecology or physics. Hackers have so-called zero-days—computer vulnerabilities known only to them and for which there is no defense. And it’s almost impossible to predict what a Russia or an Iran might do based on its past actions.Stransky concedes all of that, but he remains optimistic that his data work will help clarify the clouded picture faced by insurers and their clients. “I’m not going to say this is the panacea,” he says. “It’s just one part of the process.” In a darkened room across the river from the Lincoln Memorial in Washington, two dozen analysts watch row upon row of monitors as streams of data on the computer health of 150 companies scroll past. Protected by steel doors with facial-recognition locks, this is the so-called watch floor in Deloitte & Touche LLP’s Cybersphere—the place where the accounting firm tracks the minutiae of the world’s cyberthreats for its customers, scouring for malware and other signs of intruders.The cybersecurity business is booming at Deloitte, as it is at companies such as FireEye, CrowdStrike Holdings, and Check Point Software Technologies. Deloitte’s U.S. cyber unit employs 4,500 people, and the watch floor sits at its heart. Andrew Morrison leads strategy, defense, and response for the cyber practice.Deloitte sends out teams to help companies recover data and network capabilities in the midst of cyberattacks. After NotPetya struck, a Deloitte team launched a recovery operation for A.P. Moller-Maersk A/S, the world’s largest container shipping company. The attack left Maersk’s container ships stranded at sea, closed ports, and ruptured communications. Within 10 days, Maersk reinstalled its entire computer infrastructure, including 4,000 servers and 45,000 PCs, according to Chairman Jim Hagemann Snabe.A few years before NotPetya, China’s military and intelligence agencies were stealing the secrets of global corporations at an alarming rate, giving a boost to the cybersecurity business. Most experts agree that threat has abated in the wake of a 2015 U.S.-China cybersecurity agreement and a reorganization of the Chinese military.New and increasing threats are coming from ransomware and other malicious code designed to hijack, destroy, or alter data. Victims come in all sizes. Petty criminals, to cite one example, regularly use ransomware to lock up patient data in dentists’ offices in capers that bring in a few thousand dollars. But for the most sophisticated cybercriminals, the choice targets are companies that make up a nation’s infrastructure: manufacturers, power companies, gas pipeline operators, banks.And yet Morrison’s team is busier than ever. Manufacturers, including aluminum companies with smelters valued at almost $1 billion that could be ruined in a cyberattack, are particularly vulnerable, Morrison says. “Taking down the manufacturing facility, taking down the supply chain, all have dramatic impacts,” he says. “Clients generally aren’t as well-prepared in that space, because it’s legacy equipment run by a shop steward on a machine floor and it’s very difficult to secure.”That risk has increased as more industrial companies use interconnected devices that are embedded in their systems. Earlier this year, a ransomware attack hit aluminum producer Norsk Hydro ASA, halting production at some plants that fashion the metal into finished products. As manufacturers upgrade industrial systems, cyberattacks threaten to cripple production and ripple through supply chains.Given how scary the future looks, the Merck case is, in some ways, an effort by insurers to turn back the clock. They want clarity. The industry is working to write its policy exclusions in such a way as to avoid any confusion over whether a digital attack is covered or not.Standalone cyberpolicies give insurers the clarity they want. But property policies historically haven’t taken into account the potential damage in a cyberattack. This raises the dread prospect of what’s known as “silent cyber”—the unknown exposure in an insurer’s portfolio created by a cyber peril that hasn’t been explicitly excluded or included.Insurers such as AIG or the underwriters governed by Lloyd’s are now tightening the language around what events they’ll cover. Lloyd’s said in July that certain policies must state more clearly whether cyberattacks are covered. AIG said that starting in January, almost all of its policies for businesses should make that clear, culminating a six-year effort.In Elizabeth, the action has been going on behind closed doors. Witnesses will testify on such subjects as what insurers intended in drafting exclusions for acts of war or terrorism and what Merck believed its coverage meant. Some insurers drafted new war or cyber exclusions for policies after NotPetya, but Judge Mega ruled that insurers don’t have to disclose documents showing why they changed their policies after the attack.In early 2020, experts will testify behind closed doors as to what constitutes an act of war in the cyber age. The case could be settled at some point—or it could drag on for years before going to trial.The challenge for insurers is to show that NotPetya was an act of war even though there’s no clear definition in U.S. law on what that means in the cyber age. Mega will also have to analyze international law, says Catherine Lotrionte, a former CIA lawyer who’s taught at Georgetown University. “It’s not going to be an easy case for a judge in the U.S. to declare that this was an act of war,” she says. “It’s not just whether another country did it, but does it meet the legal criteria under international law for an armed attack?”Whichever way the courts rule, one stark reality is clear: The era of cyberweapons is forcing companies to defend themselves against a scale of threat that, in the conventional world, would have merited government help. With the insurance companies working to protect themselves against cyber risk, and because there’s only so much that governments can do, companies such as Merck have no choice but to build their own defenses to manage risk. —With Kelly GilblomVoreacos covers financial investigations, Chiglinsky covers insurance, and Griffin covers the drug industry. They are based in New York. (Clarifies Andrew Morrison’s role in the 40th paragraph.)To contact the authors of this story: David Voreacos in New York at dvoreacos@bloomberg.netKatherine Chiglinsky in New York at kchiglinsky@bloomberg.netRiley Griffin in New York at rgriffin42@bloomberg.netTo contact the editor responsible for this story: Stryker McGuire at smcguire12@bloomberg.net, Jeffrey GrocottFor more articles like this, please visit us at bloomberg.com©2019 Bloomberg L.P.
- Zacks
Seattle Genetics, Astellas Tie Up With Merck for Cancer Study
Seattle Genetics (SGEN) and Astellas team up with Merck for a late-stage study to evaluate the enfortumab vedotin and Keytruda combo in patients with previously untreated metastatic urothelial cancer.
- Zacks
Merck's Keytruda Gets FDA's Priority Tag in Bladder Cancer
Merck's (MRK) sBLA for Keytruda gets FDA's priority review status to treat certain patients with high-risk, non-muscle invasive bladder cancer.
