NJ appeals court upholds Merck's win in NotPetya cyberattack case

Insurers cannot apply war exclusion without ‘clear war’ or ‘military action’, court affirms

By Erin Ayers, Advisen

A New Jersey appeals court affirmed a lower court ruling finding that a war exclusion cannot be applied to Merck & Co.’s losses stemming from a 2017 cyberattack, disagreeing with insurers’ contention that the event constituted a “hostile” or “warlike” action.

The June 2017 NotPetya cyberattack did not rise to the level of an act of war since it did not involve any military action, the Superior Court of New Jersey’s Appellate Division wrote in a May 1 decision.

“The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” said Court, adding, “Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm...”

The ruling affirms a January 2022 ruling from the Superior Court of New Jersey. The lower court found in favor of Merck, noting that the insurers’ war exclusions made no mention of cyber warfare and the insurers “did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks.”

On June 27, 2017, a widespread malware attack known at NotPetya infected over 40,000 machines on Merck’s global network. The event caused extensive disruption and damage to businesses and organizations in 64 countries, per court documents.

For Merck, the attack caused "production facilities and critical applications to go offline and [created] massive disruptions to Merck's operations, including its manufacturing, research and development, and sales operations."

At the time, Merck held 26 all-risk property policies with a tower of insurers including units of Chubb, AIG, Allianz, Liberty Mutual, QBE, and several Lloyd’s syndicates and limits of $1.75 billion. The pharma firm filed its claim in July 2017, to which the insurers replied with a reservation of rights letter.

In August 2018, after the cyber experts tied the NotPetya attack to threat actors working on behalf of the Russia government, most of Merck’s insurers denied coverage based on exclusions in the policies for “hostile” or “warlike” actions. In response, Merck sued, seeking up to $1.4 billion in losses tied to the cyber event.

The Court noted that several of the insurers resolved their claims with Merck while the case made its way through the court system, leaving just eight insurers and just under $700 million in coverage still disputed at the time of oral arguments.

On appeal, the insurers along with a host of industry trade groups argued that while NotPetya may not have been “warlike,” it certainly falls under the umbrella of “hostile.”

“They assert the word ‘hostile’ should be read in the broadest possible sense, as meaning ‘adverse,’ ‘showing ill will or a desire to harm,’ ‘antagonistic,’ or ‘unfriendly,’” the Court noted. “According to the Insurers, any action that ‘reflects ill will or a desire to harm by the actor’ falls within the hostile/warlike action exclusion, as long as the actor was a government or sovereign power, in this case the Russian Federation.”

However, the Court disagreed. While acknowledging the lack of precedent on this subject, the justices asserted the need for “plain language pertinent to the situation to permit the enforcement of an exclusion.”

In examining the history of the war exclusion, the Court cited several cases where the exclusion has been applied and noted it had “never been applied outside the context of a clear war or concerted military action.”

While not commenting specifically on the decision, a spokesperson for the American Property Casualty Insurance Association (APCIA) told Advisen that cyber risk “ranks among the highest global risks for insurers and industry.”

“Proper application of an insurance contract exclusion for losses caused by ‘hostile or warlike action in time of peace or war,’ which insurers rely on to protect against aggregated and uninsurable risk, is essential to the insurance market’s ability to underwrite cyber risk and assist industry in defending against cyber threats and building resilience in the wake of cyberattacks,” said Claire Howard, senior vice president and general counsel for APCIA. “Requiring insurers to continuously update broad policy exclusions whenever a new mode of activity is developed that is clearly encompassed within the plain terms but not specified by name would eviscerate many exclusions whose language is designed to stand the test of time without constant changes.” 

Howard added, “Furthermore, policy language disputes involving sophisticated insureds with significant bargaining power should be resolved through an even-handed application of the contract terms, instead of applying rules of construction designed to favor consumers who lack market power to change their insurance policy terms.”

Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com