The Superior Court of New Jersey Appellate Division has ruled in favor of Merck in its $1.4 billion claim against the insurance industry for denying payment for damages caused by the 2017 NotPetya cyberattack. Merck did not have separate cyber insurance, and instead relied on the ‘all risks’ element of its property insurance.
According to Merck, within ninety seconds of the initial NotPetya infection, roughly 10,000 machines in its global network were infected by the malware, and over 40,000 machines were ultimately infected across the company globally.
The insurers claimed that the property insurance was subject to a war exclusion clause, and the “exclusion is clear and unambiguous, and it plainly applies to the NotPetya attack.”
Judges Currier, Mayer and Enright have now disagreed, and declared, “We have addressed the exclusion in terms of the presented circumstances before us. And we have found the Insurers have not satisfied their burden to show it could be fairly applied to the NotPetya cyberattack. That is the scope of our review. Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”
This is an interesting position. While declining to accept the nation-state NotPetya attack as an act of war, they have also declined to define what type of cyberattack could be defined as an act of war.
But as far as this case is concerned, that is academic. The court concluded, “terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.”
David Cummings, a partner in the litigation practice group of Reed Smith (who authored an amicus brief filed by United Policyholders in the case), commented, “The Appellate Division’s decision is an important win for policyholders who continue to seek (and pay substantial premiums for) certainty with respect to their insurance coverage in the face of these often uncertain cyberattacks.
“In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations. On that score, the Court correctly determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers.”
Cyber is, however, considered to be a modern theater of war – and cyber changes faster than any other modern arena. Discussion will likely continue over the validity of applying historical definitions to the new world.
Nevertheless, continued Cummings, “The mere presence of hostile or warlike action is not enough where, as here, the underlying activity is commercial in nature, and the damage is not caused by a warlike attack directed at the policyholder. In sum, the Court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”
This may or may not be the end of the Merck case, but it is probably just the beginning of future arguments about what can or cannot be construed as a cyber act of war. A $1.4 billion payout is no small matter for the insurance industry and is bound to have future ramifications on the cyber – and property – insurance industry.
Related: Cyberinsurance Backstop: Can the Industry Survive Without One?
Related: Talking Cyberinsurance With Munich Re
Related: Lloyd’s of London Introduces New War Exclusion Insurance Clauses
Related: Court Awards Merck $1.4B Insurance Claim Over NotPetya Cyberattack