In a published opinion, the New Jersey Appellate Division concluded that an insurance policy exclusion for "hostile/warlike action" did not include a cyberattack on a nonmilitary company, regardless of whether that attack was from a private actor or a government or sovereign power. The case is Merck & Co. v. Ace Am. Ins. Co., 2023 N.J. Super. LEXIS 43 (N.J. Super. Ct. App. Div. 2023).
According to the opinion, a malware/cyberattack known as NotPetya infected Merck's computer and network systems in 2017, which was delivered through an accounting software called M.E. Doc. Within 90 seconds of the initial infection, 10,000 machines were infected. Within five minutes, that number reached 20,000. The attack resulted in the infection of more than 40,000 network machines and caused massive disruptions to the company's global network in at least 64 countries.
As a result of the infection, Merck contended that its production facilities and critical applications went offline, which disrupted its operations in manufacturing, research, development, and sales, according to the opinion.
For the period in question, Merck had a property insurance program that included "all risks" in a three-layer structure with $1.75 billion in total limits above a $150 million deductible, according to the opinion. During the discovery period, many of the defendant insurers settled their claims with Merck, leaving eight remaining insurers involved in the appeal. In dispute is a total of nearly $700 million, or 40%, of Merck's coverage for the period.
The remaining insurers included Aspen Insurance, HDI Global Insurance, National Union Fire Insurance, Syndicate No. 1183 at Lloyd's London, Zurich American, Mapfre Global Risks, Compañia Internacional de Seguros y Reaseguros and Vienna Insurance Group, according to the opinion.
The insurers denied Merck's coverage for losses under the "hostile/warlike action" exclusion.
The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The exclusion does not state that the policy precludes coverage for damages arising out of a government action motivated by ill will.
Judge Heidi Willis Currier, writing for the court, said that the defendants conceded that the word "warlike" might not be applicable. Instead, the insurers asserted that the word "hostile" should be read in the broadest possible sense.
"Defendants contend that any action that 'reflects ill will or a desire to harm by the actor' falls within the hostile/warlike action exclusion, as long as the actor was a government or sovereign power," Currier wrote.
But the appeals court held that the plain language of the exclusion does not support the defendant's interpretation.
"The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action," Currier wrote. "The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will."
Currier stated that although there is no precedent considering the hostile/warlike action exclusion, the New Jersey Supreme Court consistently requires "plain language pertinent to the situation to permit the enforcement of an exclusion."
"We agree with the trial court that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a 'government or sovereign power," Currier wrote.
Counsel to National Union, James E. Rocap III of Steptoe & Johnson, counsel to the remaining seven insurers, Philip C. Silverberg of Mound Cotton Wollan & Greengrass, and counsel to Merck, Mark W. Mosier of Covington & Burling, did not immediately return requests for comment.
The original version of this story appeared on New Jersey Law Journal.