Pharmaceutical giant Merck recently won a major victory over its insurer in New Jersey Superior Court. Merck’s victory means its operator is likely to pay Merck $1.4 billion for alleged losses resulting from the NotPetya malware attack in 2017. Merck’s comprehensive insurance policy covered Merck for losses resulting from the destruction or corruption of computer data software. The carrier declined coverage for the NotPetya attack, citing a policy exclusion for “loss or damage caused by hostile or warlike action”. New Jersey Superior Court Judge Thomas Walsh granted partial summary judgment for Merck, finding that the “hostile or warlike action” exclusion did not apply to the malware attack.
The carrier attempted to rely on the United States Department of Justice’s decision in October 2020 to indict six national Russian intelligence officers with ties to Russian military intelligence for facilitating the NotPetya attacks. In the charging documents, US prosecutors noted that Russia had “maliciously or irresponsibly” “armed its cyber capabilities”. In the lawsuit, the carrier argued that the NotPetya malware was an “instrument of the Russian Federation in its ongoing hostilities against the nation of Ukraine”, and that the attack on the malware was therefore an “act of war”.
It wasn’t enough for the New Jersey court. Justice Walsh noted that the language of the insurance policy must be given its ordinary meaning, with ambiguous terms interpreted to conform to the “reasonable expectations of the insured.” Justice Walsh cited the Oxford English Dictionary’s definition of “hostile or warlike action” as “of, pertaining to or characteristic of an enemy; concerning or engaged in actual hostilities.
Justice Walsh also observed that “[B]Both parties to this contract are aware that cyberattacks of various forms, sometimes from private sources and sometimes from nation states, have become more common. Despite this, the insurers did nothing to change the wording of the exemption to reasonably inform this insured that he intended to exclude cyberattacks… Having failed to change the wording of the policy , Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
Merck’s action is not the only lawsuit seeking to circumvent the exclusion of a “war action” policy. Mondelez International, owner of American food brands such as Oreo and Nabisco, sued its insurer, Zurich American Insurance, in 2018 in Illinois for a similar policy exclusion in an all-risk insurance policy. This case is still unresolved.
In the wake of malware attacks such as NotPetya and Solar Winds, carriers are rewriting insurance policies to cover “cyberterrorism”, while continuing to exclude “war or hostile acts”. The Merck ruling could push carriers to close the coverage loophole and resolve the apparent conflict between cyberterrorism coverage and the “hostile actions” exclusion.
Just as the 9/11 terrorist attacks led to the passage of the Terrorism Risk Insurance Act, which required insurance companies to make terrorism cover available to commercial policyholders, the new wave of cyberattacks, some of them state-sponsored, will have a lasting impact on insurance coverage. for the coming years.