caption
The Superior Court of New Jersey, Law Division, recently held that a malware attack incident was not an act of war as excluded by the traditional war exclusions in the applicable property policies. The case is Merck & Co. Inc. vs. Ace American Insurance Co. et al, N.J. Super. Ct., No. L-002682-18, summary judgment 1/13/22.
Pharmaceutical giant Merck & Co. sued insurers over coverage for $1.4 billion losses from malware known as NotPetya in a cyber-attack occurring in 2017. Merck sued its insurers after they denied coverage for NotPetya's impacts to the pharma company's computer systems, citing the "acts of war" exclusion in the property policies. The malware attack was attributed to Russia's military intelligence agency, deployed as part of a conflict with Ukraine.
The New Jersey Superior Court ruled in January that Merck's insurers can't claim the war exclusion because the language was designed to apply to armed conflict. According to the ruling, the insurers failed to change the war language to put companies like Merck on notice that cyberattacks would not be covered, despite an uptick in attacks by countries like Russia against private sector companies.
The court was considering whether coverage applied under an all-risk property insurance policy, not a cyber-specific policy. Both types of policies typically contain war or warlike action exclusions. These exclusions typically only apply to traditional forms of warfare. This is why the insurers' initial denial of coverage for Merck's losses sparked such concern that insurers may be attempting to broaden the reach of the exclusion.
Editor's Note: This big pharma victory is expected to force insurance policies to more clearly confront responsibility for the fallout from nation-state cyberattacks. Since the NonPetya cyber attacks, some insurance companies have already taken steps to revise their non-cyber policies to add more robust cyber exclusions.