Merck Wins Again in Cyber Coverage Battle
The Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack. The decision is appropriately being heralded as a huge win for policyholders and an affirmance of New Jersey’s longstanding history of protecting policyholders’ reasonable expectations. We previously blogged about developments relating to the war exclusion and the Merck case when it was initially heard by the Appellate Division.
In 2017, Merck, like many other companies, was the victim of a NotPetya malware attack. The malware, which was delivered to Merck’s computers through accounting software developed by a Ukrainian company, allegedly spread to 40,000 Merck computers, caused more than $1.4 billion in losses and hurt Merck’s revenues. Merck sought coverage under its $1.75 billion property insurance program, but Merck’s insurers denied coverage, citing a “hostile/warlike action” exclusion, which precludes coverage for:
loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
b) or by military, naval, or air forces;
c) or by an agent of such government, power, authority or forces.
The insurers argued that the malware hack was initiated by an instrument of the Russian government against Ukraine, while Merck said the attack was not an act of war from a nation-state, but a mere form of malware covered by the policy. Merck ultimately filed suit against its insurers alleging that the carriers breached the policies by refusing to cover Merck’s losses from the NotPetya cyberattack.
The trial court determined in December 2021 that the exclusion precludes only a physical act of warfare instead of a malware hack. The court further held that a “hostile or warlike action” means traditional war involving “hostilities between armed forces of two or more nations or states.” Additionally, the trial court held that the insurers had the ability to “change the language of the exemption to reasonably put [Merck] on notice that it intended to exclude cyber attacks,” but did not. The insurers appealed that decision.
On appeal, the New Jersey Appellate Division affirmed the trial court decision. Specifically, the court stated: “In considering the plain language of the exclusion, and the context and history of its application, we conclude the Insurers did not demonstrate the exclusion applied under the circumstances of this case.” The court explained that “the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military customers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’” The court further explained that, after analyzing other war exclusion cases throughout history, “[c]ontrary to the Insurers’ contentions, these cases demonstrate a long and common understanding that terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective.”
In light of the decision, policyholders should continue to review coverage for cyber risks under both their cyber/technology insurance policies, as well as traditional policies. And, as a result of the coverage litigation arising out of the NotPetya attacks, many insurers have introduced broader war exclusions, or state actor exclusions, even in cyber policies. Nonetheless, robust coverage is still available, and policyholders should work with their brokers and insurance coverage counsel to ensure that they are purchasing the broadest coverage possible at policy inception or renewal.