- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
In a closely watched case of first impression, a New Jersey appeals court panel held on Monday that a “hostile/warlike action” exclusion contained in an “all risks” property insurance policy does not bar coverage for nearly $700 million in losses suffered by multinational pharmaceutical giant Merck in connection with a cyberattack that affected Merck and others several years ago.
The case arose out of a malware/cyberattack incident in June 2017 known as “NotPetya” in which over 40,000 machines within Merck’s global network rapidly became infected with malware, which encrypted data on the infected system and demanded payment of a ransom in exchange for decryption. Merck suffered significant losses in connection with the NotPetya cyberattack, including extensive disruptions to its research, manufacturing, business, and sales operations.
At the time of the NotPetya cyberattack, Merck’s property insurance coverage included a multi-layer structure of “all risks” property policies with a number of different insurers. Each of those policies contained materially identical “hostile / warlike action” exclusions to coverage clauses providing:
This policy does not insure against: Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack: (a) by any government or sovereign power … or by any authority maintaining or using military, naval, or air forces; (b) or by military, naval, or air forces; (c) or by an agent of such government, power, authority, or forces[.]
Merck’s insurers denied coverage based on this “hostile/warlike action” exclusion.
The issue presented for the Court’s determination was whether this “hostile / warlike action” exclusion applied to exclude coverage for Merck’s losses caused by the NotPetya cyberattack. In a 35-page published decision, which specifically noted the absence of any decided legal precedent considering application of such a “hostile/warlike action” policy exclusion in the context of a cyberattack, a three-judge panel of the Appellate Division of the Superior Court of New Jersey held the “hostile/warlike action” exclusion did not apply to bar coverage. Based on its analysis of the policy language as well as an examination of the historic context and application of the “hostile/warlike action” exclusion, the Court held the exclusion did not apply because the cyberattack was a fundamentally “non-military” act done for “commercial purposes.” The Court explained:
Coverage could only be excluded here if we stretched the meaning of “hostile” to its outer limits in an attempt to apply it to a cyberattack on a non-combatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective.
The Court held such an expansive construction of the term “hostile” would be contrary to the historic application of the “hostile / warlike action” exclusion in other contexts as well as to general principles of insurance policy interpretation, which ordinarily require a broad reading of coverage provisions, a narrow reading of exclusionary provisions, and resolution of ambiguities in the insured’s favor. Accordingly, the Court held the “hostile / warlike action” exclusion did not apply to exclude coverage for Merck’s losses caused by the NotPetya cyberattack.
This decision gives insurers a glimpse into the way courts may apply traditional policy language in the face of changing technology. Although courts have read policies to include developments in technology in some arenas, courts may still hesitate to find cybercrimes excluded by the war exclusion clauses without clear and specific language including cybercrimes in the scope of the contemplated hostile/warlike action, or without a direct connection between the cybercrime and military or combatant forces.