Insurance “War Exclusion” Applies to “Traditional Forms of Warfare,” Not Merck’s $1.4B Cyber Loss Claim, Says Court

Unfortunately for King Priam, the “war exclusion” term in his insurance policy likely excluded from coverage damage resulting from the Greek’s Trojan-horse attack. Fortunately for Merck & Co. (“Merck”), that exclusion doesn’t apply to Trojan-horse cyber attacks, based on a recent court ruling. On January 13, 2022, a New Jersey state court rejected arguments from fifteen insurers to deny Merck’s $1.4 billion loss from a 2017 cyber attack and found that the war exclusion term did not apply. [1] Many in the industry, including Ice Miller, [2] anticipated this result. But policyholders should expect insurers will re-draft and broaden the scope of war exclusion terms in future cyber policies.
 

Background of Notpetya Attack and War Exclusion

In 2017, pharmaceutical giant Merck fell victim to the NotPetya cyber attack, which, disguised as ransomware, was actually a destructive “wiper” attack. The attack, aimed at a Ukrainian target, caused collateral damage around the globe exceeding billions of dollars. Merck alone estimated that 40,000 of its computers were infected and rendered useless, with an estimated $1.4 billion in damages. In the aftermath of the attack, Merck and many other affected entities submitted claims under all-risk property insurance to recoup the astronomical damages suffered. Insurers, however, denied the claims under the “war exclusion” clauses, arguing that the cyber attack was an act of war by one state actor, Russia, against another, Ukraine. Merck, among others, challenged the insurer’s reliance on the war exclusion. 
 

The Court’s Rejection of War Exclusion Argument

The court granted Merck’s request for partial summary judgment, finding the war exclusion clauses that Merck’s insurance providers were relying on to only exclude physical acts of warfare under the traditional definition of war. Courts realize, in insurance disputes, the asymmetry between policyholders and insurers in defining the terms and conditions of a policy, given the fact that insurers draft policies. As such, courts often construe ambiguous language in policies against the drafter insurers because they had the opportunity to clarify the ambiguity. Here, Merck’s insurers argued that the NotPetya attack, which was sourced to Russian threat actors, fit under the traditional definition of an act of war as it was directed toward Ukrainian assets. The court agreed that “hostilities between armed forces of two or more nations or states,” are required under a traditional definition of war, but disagreed that the Notpetya attack fit this traditional definition. For example, the court found that “no court has applied a war (or hostile acts) exclusion to anything remotely close to a malware attack.” The court also noted that cyber attacks are an incredibly common phenomenon. The insurers had many opportunities to exclude damages arising out of malware attacks, specifically. Because the insurers failed to clarify in the policy at issue the broader meaning of the “war exclusion” that they claimed, the court held that the exclusion did not apply to Merck’s $1.4 billion claim. 
 

How Does This Impact My Insurance?

The impact of this decision is already being felt around the insurance world. Important to note is the fact that the insurance policies at issue in this case were “all-risk” property insurance policies, not cyber-risk insurance policies. This ruling bolsters the argument that “silent cyber” coverage may exist in traditionally non-cyber policies. Insurers, however, are already revisiting policies and working toward inserting more specific exclusionary language regarding malware attacks such as NotPetya. It is likely that more disputes are likely to follow. Policyholders should seek to understand fully the risks that their policies cover and exclude while shopping for insurance. 
 

Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies to navigate and manage cybersecurity risks. Our team includes Guillermo Christensen, managing partner of the firm’s Washington D.C. office and former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on federal procurement cybersecurity laws and regulations; and Angad Chopra, a Certified Privacy Professional and associate in Ice Miller’s Data Security & Privacy Group.

[1] Merck & Co., Inc., et al. v. ACE American Ins. Co., et al., No. UNN-L-002682-18 (N.J. Super. Ct. Law Div. Jan. 13, 2022). 
[2] For a more detailed discussion of the potential outcomes and future of this cyber insurance dispute, see Angad Chopra, Note, Cyberattack-Intangible Damages in a Virtual World: Property Insurance Companies Declare War on Cyber-Attack Insurance Claims, 82 Ohio St. L.J. 121 (2021). Ice Miller Data Security & Privacy associate Angad Chopra notes the potential ongoing nature of insurance claims being rejected based on vague or overly non-specific exclusionary clauses and suggests a nuanced approach to the ever-more sophisticated landscape of cyber threats and cybercrime.

This publication is intended for general informational purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstance.