Pharmaceutical giant Merck won a major victory over its insurance carrier in New Jersey Superior Court recently. Merck’s victory means its carrier is liable to pay out up $1.4 billion to Merck for alleged losses arising out of the 2017 NotPetya malware attack. Merck’s all-risks property policy covered Merck for losses resulting from destruction or corruption of computer data software. The carrier declined coverage for the NotPetya attack, citing a policy exclusion for “loss or damages caused by hostile or warlike action.” Judge Thomas Walsh of the New Jersey Superior Court issued a Partial Summary Judgment for Merck, finding that the “hostile or warlike action” exclusion did not apply to the malware attack.
The carrier attempted to rely on the United States Department of Justice’s decision in October 2020 to charge six Russian intelligence officer nationals with ties to Russian military intelligence with facilitating the NotPetya attacks. In the charging papers, U.S. prosecutors noted that Russia had “maliciously or irresponsibly” “weaponized its cyber capabilities.” In the lawsuit, the carrier argued that the NotPetya malware was an “instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine,” and that the malware attack was therefore an “act of war.”
That was not enough for the New Jersey court. Judge Walsh noted that insurance policy language must be given its plain meaning, with interpretation of ambiguous terms to conform to the “reasonable expectations of the insured.” Judge Walsh cited to the Oxford English Dictionary’s definition of “hostile or warlike action,” as “of, pertaining to, or characteristic of an enemy; pertaining to or engaged in actual hostilities.”
Judge Walsh also observed that, “[B]oth parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states, have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks…Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
Merck’s is not the only lawsuit seeking to circumvent a “warlike action” policy exclusion. Mondelez International, the owner of U.S. food brands such as Oreo and Nabisco sued its carrier, Zurich American Insurance, in 2018 in Illinois over a similar policy exclusion in an all-risks insurance policy. That case is still unresolved.
In the wake of malware attacks such as NotPetya and Solar Winds, carriers are rewriting insurance policies to cover “cyberterrorism,” while continuing to exclude “war or hostile acts.” The Merck decision may push carriers to close the coverage loophole and resolve the apparent conflict between covering cyberterrorism and excluding “hostile action.”
Much as the September 11 terror attacks led to the passage of the Terrorism Risk Insurance Act, which required insurance carriers to make terrorism coverage available to commercial policyholders, the new wave of cyberattacks, some state-sponsored, will have a lasting impact on insurance coverage for years to come.