A New Jersey intermediate appellate court held May 1 that Merck & Co. was entitled to insurance coverage for damages suffered in 2017 as a result of malware known as NotPetya. The decision provides practical takeaways for corporate purchasers of cyber and property insurance products that include a war exclusion.
Background
According to Merck, NotPetya damaged more than 40,000 of its computers and caused more than $1.4 billion in damages. After Merck sought to recover for these losses under certain insurance policies, its insurers denied coverage for the claim based upon a war exclusion, arguing that Russia was responsible for NotPetya and used the malware as part of its ongoing hostilities against Ukraine.
Unable to resolve the dispute, Merck was forced to file a lawsuit. After extensive discovery, the parties filed dueling motions for partial summary judgment on the applicability of the exclusion.
The trial court, considering general principles of insurance policy construction as well as case law regarding the war exclusion, ruled in Merck’s favor, and the appeals court affirmed.
All-Risk Means All-Risk
The policies at issue protected Merck against “all risks.” Such insurance broadly covers any risk unless such risk is expressly excluded. This differentiates the coverage from that for named perils which, by contrast, protects against perils expressly included. The former is broader than the latter.
As the decision notes, all-risk insurance creates a “special type of insurance extending to risks not usually contemplated, and recovery under the policy will generally be allowed.”
An all-risk policy, such as the one before the court in Merck—which also happened to include computer data and systems-related coverages—will provide coverage against the risk of loss or damage caused by malware, absent a specific exclusion.
War Exclusions Don’t Apply to Cyberattacks
The exclusion before the Merck court provided that the policy does not insure against loss or damage “caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack.”
While Merck’s insurers argued that this plainly applied to the NotPetya attack, the appeals court disagreed. Like the lower court before it, the court looked to the history of such exclusions. Following its review of the language, the court concluded that “the few cases cited by the parties reinforce our conclusion that similar exclusions have never been applied outside the context of a clear war or concerted military action.”
Given this, and the rule of construction discussed below, the Merck ruling suggests that courts will not apply traditional war exclusions to loss or damage caused by malware or cyberattack.
Insurance Policy Interpretation & Exclusions
The Merck court and the trial court below noted that exclusions in insurance policies are to be construed narrowly. The court quoted a decision saying that “the experienced all risk insurers should have expected the exclusions drafted by them to be construed narrowly against them and should have calculated their premiums accordingly.”
In addition to the fact that they are construed narrowly, exclusions generally will not be applied if they are ambiguous. Or as one New York court put it: “The burden, a heavy one, is on the insurer and if the language of the policy is doubtful or uncertain in its meaning, any ambiguity must be resolved in favor of the insured and against the insurer.”
Taking the language of the exclusion, insurance policy interpretation principles, and the case law, the Merck trial court said that both parties to the contract were aware that cyberattacks have become more common. Yet, the insurers never changed their exemptions to put the insured on notice that cyberattacks are excluded.
“Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare,” the trial court held. The appellate court agreed.
Takeaways
Corporate purchasers of insurance can expect that war exclusions will be increasingly tested as new types of cybercrimes create challenges regarding the origins and motives behind attacks.
But insurers who choose not to amend the language of their war exclusions will likely find courts unsympathetic to the arguments made by the Merck’s insurers here.
The case is Merck & Co. v. Ace Am. Ins. Co., N.J. Super. Ct. App. Div., No. A-1879-21, 5/1/23.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Peter A. Halprin is a partner in Pasich’s New York office representing commercial policyholders in complex insurance coverage matters.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.