Summary
- Merck disclosed that the June 27, 2017 network cyberattack disrupted worldwide operations, including manufacturing, research, and sales. Its 2017 Form 10-K said the attack had an unfavorable 2017 sales effect of about $260 million and produced $285 million of manufacturing and remediation expenses net of about $45 million in insurance recoveries.
- Merck's 2018 Form 10-K later said 2018 sales were unfavorably affected by about $150 million from the residual backlog, and that disputes remained with certain insurers about some insurance coverage for claims related to the 2017 cyberattack.
- The New Jersey appellate opinion described the insurance program as twenty-six all-risk property policies with $1.75 billion in total limits above a $150 million deductible, and said the disputed coverage on appeal totaled $699,475,000, just under forty percent of Merck's total coverage for the policy period.
- The same opinion affirmed that the hostile/warlike action exclusion did not bar coverage in the presented circumstances. That was a coverage ruling, not a public final accounting of all payments, all insurers, or all loss categories.
- The New Jersey Supreme Court appeal later ended by settlement and dismissal before a merits decision. Public reports described the settlement as confidential or undisclosed, so the settlement should not be treated as a public final allocation of who paid what.
- The durable accountability lesson is narrower than the legend: NotPetya made enterprise resilience, pharmaceutical supply continuity, loss accounting, attribution, and insurance drafting part of the same evidence record.
NotPetya turned ordinary enterprise dependency into medicine-supply risk
Merck's NotPetya experience matters because it links a global Windows-domain disruption to pharmaceutical operations and then to insurance coverage. The incident was not merely a technology department problem. Merck told investors that the June 27, 2017 network cyberattack disrupted worldwide operations, including manufacturing, research, and sales. A company that manufactures vaccines, prescription medicines, and animal-health products cannot treat that kind of disruption as a routine endpoint cleanup.
The core company record begins in Merck's 2017 Form 10-K. Merck said that the cyberattack led to a disruption of worldwide operations, including manufacturing, research, and sales. It said all manufacturing sites were operational by the time of the filing and were manufacturing active pharmaceutical ingredient, formulating, packaging, and shipping product. It also said external manufacturing was not impacted and that Merck continued to fulfill orders and ship product. Those statements are important because they prevent overstatement. The public filing does not say Merck stopped all medicine supply worldwide indefinitely. It says the company experienced a serious disruption while continuing to ship product and later restoring all manufacturing sites.
The same filing quantified the business effect. Merck said it was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on 2017 sales of approximately $260 million. It also recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, plus remediation expenses in administrative and research and development categories, aggregating $285 million in 2017 net of insurance recoveries of approximately $45 million. Merck also anticipated that residual order backlog would unfavorably affect 2018 sales in certain markets by approximately $200 million.
Merck's public filing channel matters because these were not offhand estimates in a press interview. Merck's investor SEC filings page directs investors to the formal record, and the annual reports placed the cyberattack inside risk, operating results, and insurance discussion. That gives the incident a public-accountability layer that many ransomware cases lack. The filings do not show the internal claim file, but they do show management's public view of sales effect, expense recognition, manufacturing restoration, insurance recoveries, and remaining coverage disputes. For boards, that combination is the minimum useful shape of cyber-loss disclosure: operational category, financial measure, time period, recovery status, and uncertainty.
That anticipated number changed as the record matured. In its 2018 Form 10-K, Merck again described the 2017 network cyberattack and said 2018 sales were unfavorably affected in certain markets by approximately $150 million from the cyberattack. The filing repeated the 2017 approximately $260 million sales effect and $285 million expense figure net of about $45 million insurance recoveries. It also said Merck had insurance coverage insuring against costs resulting from cyberattacks, had received proceeds, and had disputes with certain insurers about the availability of some insurance coverage for claims related to the 2017 cyberattack. A third-quarter 2018 Form 10-Q showed the transition: sales effects in the first nine months of 2018 were about $150 million, including an immaterial third-quarter impact, while manufacturing and remediation costs in the first nine months of 2018 were immaterial.
These filings are more useful than broad loss estimates because they divide the problem into operational categories. Sales losses were tied to unfulfilled orders in certain markets. Manufacturing costs were tied to unfavorable variances and recovery. Remediation costs were tied to administrative and research work. Insurance proceeds were received, but not all coverage was uncontested. A pharmaceutical continuity failure therefore became a proof problem: what was lost, where, why, for how long, under which policy language, with which deductible, and with which exclusions?
The court record gave the insurance dispute a technical spine
The most detailed public litigation record is the New Jersey Appellate Division's 2023 opinion, available through the official New Jersey Courts PDF and Justia's copy of Merck & Co., Inc. v. ACE American Insurance Co.. The opinion is not a technical incident report, and it should not be read as Merck's complete forensic file. It is, however, unusually clear on the parts of the record that mattered to the insurance dispute.
The court described Merck as seeking declaratory judgment under twenty-six all-risk property policies for losses caused by the June 2017 malware attack known as NotPetya. The policy program ran from June 1, 2017 to June 1, 2018 and had $1.75 billion in total limits above a $150 million deductible. The court said the parties disputed $699,475,000 in coverage, just under forty percent of Merck's total coverage for the policy period. Those numbers are not Merck's total economic cost; they are the disputed coverage amount in that appellate record. The distinction matters because a loss can be larger or smaller than the amount left for a particular legal appeal.
The opinion also summarized how the malware entered and spread according to the record before the court. It described M.E.Doc, a Ukrainian accounting software application used by Merck and other companies doing business in Ukraine, and a compromised update mechanism. The opinion said Merck received malicious updates through a server located in Ukraine that automatically checked for new versions of M.E.Doc. It described NotPetya as presenting itself as ransomware, encrypting certain data, rendering systems inaccessible, and leaving infected systems inoperable. Within ninety seconds, according to the opinion, about 10,000 machines in Merck's global network were infected; within five minutes, about 20,000 machines were infected; ultimately, more than 40,000 machines were infected.
That scale explains why this was not just a local Ukrainian office issue. The malware reached a global corporate network quickly enough to make central resilience, identity, patching, backup, and network segmentation part of the same accountability record. The court quoted Merck's position that NotPetya caused production facilities and critical applications to go offline and massively disrupted operations, including manufacturing, research and development, and sales. That is litigation-record language, not a substitute for plant-by-plant operational detail. But it aligns with Merck's SEC filings, which described manufacturing, research, and sales disruption.
Public technical sources support the general NotPetya context. The CISA alert on Petya ransomware warned in June 2017 about the campaign and mitigation steps. Microsoft's June 2017 analysis described the malware as combining ransomware techniques with worm-like propagation and credential abuse. The UK National Cyber Security Centre later attributed NotPetya to Russian military intelligence as part of a broader public attribution record, and the White House statement described NotPetya as part of a reckless and indiscriminate cyberattack. Those public government statements matter for geopolitical context. They did not automatically decide the insurance contract question in New Jersey.
The operational controls implied by that technical context are familiar but difficult at scale. NIST SP 800-61 Rev. 2 describes incident handling as preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. In a NotPetya-scale event, those phases do not line up neatly. A company may still be detecting affected hosts while it is containing network segments, restoring urgent business systems, preserving evidence, and briefing leadership. The point for Merck is not that public sources prove how it performed each phase. The point is that the event's scale made incident handling a business-governance function rather than a help-desk queue.
Continuity guidance reinforces the same lesson. NIST SP 800-34 Rev. 1 frames contingency planning around business impact, recovery priorities, alternate processing, and plan testing. The CISA Ransomware Guide emphasizes preparation, backups, containment, and recovery for ransomware incidents, while NotPetya's destructive character means it should not be treated as ordinary recoverable ransomware. These sources do not find fault with Merck. They help explain why pharmaceutical operations need tested recovery paths for identity, manufacturing support, release documentation, sales systems, and shipping records before malware reaches tens of thousands of machines.
The war-exclusion ruling was about policy language, not moral attribution
The legal fight is often oversimplified as "was NotPetya an act of war?" The appellate opinion was more careful. The insurers invoked a hostile/warlike action exclusion. They argued that coverage was barred because NotPetya was allegedly orchestrated by actors working for or on behalf of the Russian Federation. Merck disputed the exclusion's application. The trial court granted partial summary judgment for Merck, finding the exclusion did not apply to bar coverage. The Appellate Division affirmed.
The opinion's reasoning is important because it separates attribution from contract interpretation. The court noted that the parties disputed attribution, and that the trial court did not need to reach the attribution issue in granting partial summary judgment. The Appellate Division said the plain language of the exclusion did not support the insurers' interpretation. It explained that exclusion of damage caused by hostile or warlike action by a government or sovereign power, in times of war or peace, required involvement of military action. The exclusion did not say that damages arising out of any government action motivated by ill will were excluded.
The court also focused on reasonable policy wording. It agreed with the trial court that insurers were aware that cyberattacks of various forms, sometimes from nation-states, had become more common, yet did not change the policy language to reasonably put the insured on notice that cyberattacks would be excluded. The appellate court stated that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a government or sovereign power. It found the insurers had not satisfied their burden to show the exclusion could be fairly applied to NotPetya.
That holding should be described precisely. It does not say cyberattacks can never be excluded. It does not say government attribution is irrelevant in every policy. It does not say war exclusions have no future application to cyber operations. It does not make Merck blameless for every resilience decision. It says that under the policies and circumstances before the court, the insurers did not show that the hostile/warlike action exclusion barred coverage.
This distinction is where insurance accountability becomes operational. Insurers control drafting, exclusions, sublimits, endorsements, underwriting questions, and premium pricing. Policyholders control how they describe assets, interruption exposure, recovery objectives, and cyber dependencies. Courts control the interpretation of policy language after a dispute. If a policy sold before the loss does not clearly exclude state-linked cyber operations, an insurer may face the risk that ordinary all-risk property language covers more than it later intended. If a policyholder relies on property insurance as cyber loss transfer, it may face years of litigation before the money becomes certain.
The Merck case therefore did not merely ask whether NotPetya was bad. Everyone agreed it was destructive. It asked who had converted that cyber risk into a contractually allocated property risk and whether the exclusion language was clear enough to move the loss back to Merck. The court's answer favored Merck on that exclusion. The later settlement ended the remaining fight without a final public payment map.
Settlement ended the appeal, not the public evidence gap
After the Appellate Division decision, the insurers sought review in the New Jersey Supreme Court. Public reports in January 2024 said Merck and insurers had settled before scheduled argument. Reuters reported that Merck settled with insurers over the NotPetya cyberattack claim, and Insurance Journal reported that the settlement terms were not disclosed. Cybersecurity Dive likewise reported that the parties resolved the high-profile insurance fight before the New Jersey Supreme Court could weigh in. Public legal coverage and the court docket record described dismissal following settlement rather than a merits opinion from the state's highest court.
That end state matters. The Appellate Division opinion remains an important published coverage decision, but the Supreme Court did not issue a final merits ruling. The settlement did not publicly reveal how much each insurer paid, whether every disputed coverage category was paid, how defense costs and interest were handled, or whether any side preserved non-public positions. For public accountability, the settlement is evidence that the parties resolved the dispute, not evidence of a complete public loss allocation.
This is why it is risky to cite a single headline number as "the Merck NotPetya cost." The court record described $699,475,000 in disputed coverage in the appeal. News accounts described a broader claim that public reports often rounded to about $1.4 billion. Merck's filings separately gave sales and expense effects for 2017 and 2018 and described insurance recoveries. These are related, but they are not the same measure. A policy claim can include property damage, business interruption, extra expense, and other insured categories. A sales effect is a revenue measure. Manufacturing variance is an accounting expense category. A settlement is a negotiated resolution. Treating them as interchangeable would make the record look more certain than it is.
The evidence gap is especially important for cyber-risk markets. Insurers, brokers, corporate risk managers, boards, and public-sector entities watched Merck because the ruling affected expectations about cyber loss under property policies. But the public settlement gives no final judicial rule from the New Jersey Supreme Court and no public actuarial accounting. Insurers could still respond by changing wording. Policyholders could still respond by buying dedicated cyber coverage, demanding clearer war language, or mapping property and cyber overlaps more carefully. The market lesson is not that Merck's fact pattern will always produce coverage. It is that ambiguous or old wording can leave enormous cyber-loss allocation unresolved for years.
Pharmaceutical continuity had a different public-interest profile
The NotPetya record is different from many corporate malware stories because Merck's affected business included vaccines and medicines. Public filings identify pharmaceutical products and animal-health products across global markets. A pharmaceutical manufacturer does not only lose office productivity when a cyberattack hits manufacturing and shipping systems. It may face product-allocation decisions, batch release delays, market shortages, inventory uncertainty, temperature-controlled logistics challenges, regulatory documentation issues, and patient or provider consequences. The public record does not permit a complete product-by-product harm map, but Merck's own filings show that certain orders in certain markets could not be fulfilled.
The 2017 Form 10-K also said the temporary production shutdown contributed to Merck's inability to meet higher than expected demand for Gardasil 9. That statement should be treated carefully. It does not mean NotPetya alone caused all demand-supply imbalance for that vaccine. It means Merck identified the shutdown as a contributing factor. The article should not inflate that into a public finding of patient harm, regulatory violation, or broad vaccine shortage caused solely by malware. The point is more precise: malware recovery can collide with production capacity and demand in ways that matter outside the company's own accounting.
Public-sector continuity is part of this story even though Merck is a private company. Governments, public-health programs, hospitals, clinics, pharmacies, schools, and patients may rely on steady pharmaceutical supply. When a manufacturer cannot fulfill certain orders in certain markets, the consequences can pass into procurement systems and health-service planning. The FDA's drug shortages program shows how medicine availability is treated as a public concern, even though the FDA page is not a finding about Merck's NotPetya event. The public-interest lens is justified by the nature of the products, not by a public finding that NotPetya caused a specific statutory shortage.
Small and medium-sized entities also appear downstream. Independent clinics, pharmacies, distributors, veterinary practices, and local health providers may not have direct access to Merck's operational recovery evidence. They see availability, substitutions, backorders, and communication. If a manufacturer says orders in certain markets cannot be fulfilled, smaller counterparties need transparent status and fair allocation signals. They cannot inspect a global enterprise recovery project. That asymmetry is why the continuity record matters to more than shareholders and insurers.
Business-continuity language is helpful here because it keeps the analysis tied to delivery rather than drama. ISO 22301 describes continuity management around an organization's ability to continue delivering products and services within acceptable timeframes and capacities. For a pharmaceutical company, that concept is concrete: active ingredient production, formulation, packaging, quality release, shipping, market allocation, customer service, and regulatory documentation all have to rejoin after a disruptive cyber event. The public record does not prove each of those functions failed at Merck, but Merck's own filings confirm that manufacturing, research, sales, orders, and backlog were affected enough to require public disclosure.
The public-health dimension also complicates cost allocation. If a company incurs extra expense to keep a product available, that may look like a financial cost in one record and a continuity success in another. If it cannot fulfill orders in certain markets, that may show as lost sales while counterparties experience it as procurement stress. If external manufacturing is not impacted, as Merck disclosed, that may help preserve supply but does not eliminate internal recovery costs. Insurance and public accountability therefore ask different questions: the insurer asks whether the expense fits the policy; the public asks whether essential products continued to move with fair and accurate information.
That difference should shape incident exercises. A pharmaceutical cyber exercise that ends when systems are restored misses the supply question. The exercise should ask which products are constrained, which markets are exposed, which regulatory release documents are delayed, which customers need allocation guidance, and which public agencies may need early warning. It should also ask which evidence is being preserved for insurers and which evidence is being preserved for supply assurance. Those are related but not identical files. An insurer may need invoices, system-rebuild costs, business-interruption calculations and causation support. A public-health or procurement stakeholder may need status, allocation rationale, replacement timing and confidence that product quality records remain intact.
Keeping those files separate prevents two mistakes. The first mistake is to let insurance language define the public story. Coverage may turn on policy wording, deductibles, exclusions and proof categories that do not map neatly to patient or provider consequences. The second mistake is to let public reassurance destroy claim evidence. A company under pressure to say "supply is fine" may oversimplify the record it later needs to explain unfulfilled orders, manufacturing variances or extra expense. A mature recovery program should be able to say, at the same time, what is known about product availability and what is still being documented for financial recovery.
Enterprise resilience controlled the first loss; evidence controlled the second
The first Merck accountability question is operational: why did NotPetya spread so quickly and disrupt so much? The public record describes a trusted third-party application, automatic updates, command-and-control capability hidden as normal update checks, and rapid propagation inside Merck's global network. It also describes more than 40,000 infected machines. That points to common enterprise-resilience issues: dependency on trusted update channels, segmentation, credential exposure, Windows-domain reach, privileged access, backup isolation, application dependency mapping, and ability to restore core operations while containing the attack.
Public sources do not provide enough detail to grade Merck's pre-incident controls with precision. They do not publish the domain architecture, privileged-account model, patch status, backup topology, endpoint detection timeline, disaster-recovery tests, or manufacturing-system segmentation design. The court record and filings do show that the consequence crossed manufacturing, research, and sales. That is enough to identify the accountable control categories without pretending to know internal facts. A company of Merck's scale needs to know which enterprise pathways can take production facilities and critical applications offline, and how quickly those pathways can be severed.
The second accountability question is evidentiary: once the loss happened, who could prove what it was? Merck needed to document damaged systems, interrupted operations, extra expense, sales effects, manufacturing variances, restoration work, insurance recoveries, and policy coverage. Insurers needed to evaluate causation, coverage, exclusions, deductibles, limits, and attribution. The dispute over the hostile/warlike exclusion shows how technical evidence and policy language become intertwined. Whether NotPetya came through M.E.Doc, whether it was linked to a state actor, whether it damaged data and software, whether the loss was direct, and whether policy wording excluded it all mattered.
That evidentiary burden can shape recovery behavior. During an incident, a company must restore operations quickly. During an insurance claim, it must preserve records. Those goals can conflict. Systems may need to be rebuilt before every artifact is preserved. Manual workarounds may not automatically generate ordinary business records. Sales effects may be mixed with demand changes, inventory constraints, and market behavior. Manufacturing variances may include multiple causes. Insurance recovery therefore depends on a loss-accounting discipline that is ready before a cyberattack, not invented after the fact.
The Merck filings show a mature public accounting trail compared with many incidents. They gave specific sales and expense effects, identified insurance recoveries, revised the expected 2018 sales effect as the year progressed, and disclosed insurer disputes. Still, the public record did not expose the underlying claim file. It did not say which policies paid which amounts, how each category was adjusted, or how settlement proceeds were allocated. Public accountability can respect confidentiality while still asking whether boards and risk managers have enough non-public evidence to learn from the event.
That non-public evidence should be richer than the public numbers. It should connect a system outage to a manufacturing variance, a backlog to a market, an extra expense to a recovery decision, and an insurance claim to policy language. It should distinguish outage-driven lost sales from demand shifts, inventory constraints, planned maintenance, and ordinary commercial volatility. It should preserve why a manual workaround was used, who approved it, and whether it reduced public-health risk or only reduced financial loss. Without that connective tissue, the organization may know it spent money but not whether the spending improved resilience.
The same evidence can support better prevention. If the most expensive losses came from rebuilding endpoints, segmentation and endpoint recovery capacity move up the investment list. If the hardest proof problem came from sales backlog, order and allocation records need more resilient capture. If the largest dispute came from policy wording, risk transfer needs clearer placement review. If the deepest public concern came from medicine availability, recovery exercises should include supply and customer communication, not only server restoration. A loss file that only supports litigation is less valuable than a loss file that also changes the next year's controls.
The board-level lesson is that evidence design should be owned before the loss. Legal, finance, insurance, manufacturing, supply, cyber, quality and communications teams need a shared vocabulary for what counts as outage start, function restoration, product allocation, extra expense, lost sale, manual workaround and final recovery. If each team invents its definitions during a crisis, the company may restore operations while losing the thread needed to improve controls and support claims. NotPetya showed that recovery evidence is not paperwork after the fact; it is part of resilience itself. That evidence should survive leadership turnover, litigation pressure and market memory.
Insurance wording changed because the market learned
One reason the Merck dispute attracted attention is that it revealed a mismatch between cyber risk and traditional property wording. Before dedicated cyber policies matured, many companies relied in part on property programs for physical damage, business interruption, extra expense, and data or software loss. NotPetya showed that malware could produce property-like loss at a scale historically associated with catastrophes, while still being delivered through software and geopolitical conflict.
Insurance markets responded over time with more explicit cyber and war wording. Lloyd's later issued market guidance on cyberattack exclusions, including state-backed cyberattack language, through public market bulletins such as Lloyd's Market Bulletin Y5381. The Lloyd's bulletin is not part of the Merck court holding and does not retroactively decide Merck's policies. It is relevant because it shows the market trying to draft more explicit allocation rules after high-severity cyber loss experience.
Clearer wording can help both sides. Insurers need to know which systemic cyber risks they are pricing. Policyholders need to know whether property, cyber, crime, and specialty policies respond to malware that damages systems and interrupts operations. Governments and critical-infrastructure customers need to know whether suppliers have credible risk-transfer or self-insurance capacity after cyber catastrophe. Ambiguity may preserve deal flexibility at placement, but it can become expensive uncertainty after loss.
The accountability point is not that insurers were wrong to worry about state-linked cyber accumulation. They had a real aggregation problem: one malware event could hit many insureds across borders and sectors. The point is that an insurer's accumulation concern has to be translated into specific, plain, clear, and prominent policy language. The New Jersey court held that the hostile/warlike action exclusion before it did not do that work for NotPetya.
For policyholders, the lesson is equally demanding. Buying insurance does not replace resilience. Merck still had to restore operations, manage orders, record losses, preserve evidence, and continue supplying products. Insurance litigation lasted years. If continuity planning assumes that a claim payment will arrive quickly enough to solve operational disruption, it is not continuity planning. Insurance is a financial recovery tool, not a plant restart tool.
The placement process also needs technical participation. A board may approve a property tower, a cyber policy, and a captive structure, but the people who understand manufacturing dependencies often know the real loss scenarios. Can malware corrupt recipe, batch, release, or shipping data in a way the property wording recognizes? Does business-interruption coverage follow damage to software and data, or only physical equipment? Are extra expenses for alternate production, manual quality work, outside consultants, endpoint rebuilds, and customer communication clearly covered? Are state-linked cyber exclusions written in a way the risk committee can model? Merck's dispute showed that these questions should be asked before renewal, not after a destructive malware event.
A better accountability test for the next NotPetya
The Merck record suggests a practical checklist for organizations with critical production roles. First, map trusted update paths. M.E.Doc was a trusted application in the court record. A trusted path can become an attacker path if it is compromised upstream. Companies should know which third-party update systems have network reach and which environments they can touch. Second, map blast radius. How far can credentials, domain trust, remote administration, shared storage, and endpoint-management tools carry malware before segmentation slows it? Third, map minimum viable operation. Which manufacturing, release, research, sales, and shipping functions must continue, and what clean systems can support them?
Fourth, rehearse evidence preservation. Incident logs, restored backups, rebuild records, production-impact notes, inventory effects, sales backlog, and extra-expense approvals should be collectable without delaying urgent recovery. Fifth, align insurance language with technical reality. If property policies are expected to cover data corruption, system restoration, extra expense, and business interruption from malware, that expectation should be explicit. If insurers intend to exclude state-backed destructive cyber events, that exclusion should be explicit enough that boards can understand the retained risk before loss. Sixth, keep public statements bounded. Merck's filings did this better than many companies by using specific numbers and revising expectations.
The public also needs better distinctions. A government attribution statement is not the same as a policy exclusion. A trial or appellate ruling is not the same as a supreme court ruling. A settlement is not a public admission of liability. A sales effect is not the same as an insured loss. A malware family name is not the same as a complete root cause. A restored manufacturing site is not the same as erased downstream impact. Treating those terms carefully is not legal hair-splitting; it is how accountability remains tied to evidence.
Merck's NotPetya record remains one of the clearest examples of cyber risk becoming enterprise, public-interest, and insurance risk at the same time. The company controlled parts of enterprise resilience and operational recovery. Insurers controlled policy drafting and coverage positions. Courts controlled the interpretation of contested wording. Governments controlled public attribution statements. Patients, providers, distributors, employees, and smaller counterparties lived with consequences they could not independently diagnose.
That is why the case still matters after settlement. The settlement closed the public fight, but it did not erase the operational lesson. A destructive malware event can move from a trusted software update to tens of thousands of machines in minutes, interrupt pharmaceutical manufacturing and sales, generate hundreds of millions of dollars in quantified effects, and leave sophisticated parties arguing for years over whether old war language applies. The next organization should not wait for that argument to discover what its networks, recovery plans, and insurance words actually mean.

