The New Jersey Supreme Court has agreed to decide whether a hostile/warlike action exclusion in an all risks property insurance policy applies in a case involving insurance coverage for a 2017 Russian cyberattack.

The state’s high court will hear an appeal by eight insurers of a state appeals court ruling in May that found the exclusion did not apply to a NotPetya attack on the pharmaceutical firm Merck & Co. The high court granted the appeal on July 19.

The appeals panel said that the insurers did not demonstrate that the NotPetya attack was a “hostile” or “warlike” action and thus the exclusion did not apply. The court found that the exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The appeals panel affirmed a 2022 decision by the Union County Superior Court.

Related articles: NJ Court Affirms Merck Ruling: War Exclusion Does Not Apply to Cyber Attack; Consistent Policy Wording Bringing Some Relief to Evolving Cyber Market

While insurers conceded the word “warlike” in the exclusion might not be applicable, they asserted the word “hostile” should be read in the broadest possible sense, as meaning “adverse,” “showing ill will or a desire to harm,” “antagonistic,” or “unfriendly.” They contended that any action that “reflects ill will or a desire to harm by the actor” falls within the hostile/warlike action exclusion, as long as the actor was a government or sovereign power, in this case the Russian Federation.

The insurers maintained that the exclusion “is clear and unambiguous” and it plainly applies to the NotPetya attack because it was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine.

However, the appeals court found that the plain language and history of the exclusion do not support the insurers’ interpretation. “The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will,” the court wrote.

In considering the history of the war exclusion, which has been included in policies for more than a century, the court found that the few applicable cases reaffirm that similar exclusions have never been applied outside the context of a clear war or concerted military action.

Case History

More than 30 insurers were involved in the case at the start. However, many have since resolved their claims with Merck, leaving eight remaining defendants. Merck’s property insurance program included the “all risks” property policies in a three-layer structure, with $1.75 billion in total limits above a $150 million deductible. The remaining eight Insurers’ policies insured percentages of coverage in one, two or all three of the layers. In total, they are disputing $699,475,000 in coverage or just under 40% of Merck’s total coverage for the policy period. The eight insurers still in the fight include Ace American, Allianz, Liberty Mutual, QBE, XL and Lloyd’s syndicates.

On June 27, 2017, the malware known as NotPetya infected Merck’s computer and network systems. Prior to that date, someone had gained access to the computer systems of a Ukrainian company that had developed an accounting software called M.E. Doc used by Merck and other companies in Ukraine. The NotPetya malware was delivered into the accounting software.

Ultimately, more than 40,000 machines in Merck’s network were infected. Merck contends the malware “caus[ed] production facilities and critical applications to go offline and create[ed] massive disruptions to Merck’s operations, including its manufacturing, research and development, and sales operations.”

While the court ruling was specific to New Jersey, analysts and attorneys said it was a warning to property/casualty insurers and reinsurers about cyber coverage embedded in traditional policies.

Lloyd’s Cyber War Exclusions: Confusing, Disruptive, but Necessary?

After the lower court ruling in New Jersey in 2022, food and beverage company Mondelez International settled its lawsuit against Zurich American Insurance Co. in Illinois over its $100 million NotPetya claims.

In August 2022, a Lloyd’s market bulletin said insurers must exclude catastrophic state-backed cyber-attacks in standalone (or affirmative) cyber policies. The exclusion should include liability for losses arising from both war- and non-war-related state-backed cyber-attacks.

The Russian invasion of Ukraine has increased the risk of cyberattacks and further testing of the “war exclusion” and “hostile act exclusion” language.

A recent AM Best report found that war risk exclusions vary by company, with some carriers sticking with traditional war exclusions and others accepting certain war exposures.

“Systemic risk is an ongoing concern. Property catastrophes typically affect a limited geographic area, but a cyber catastrophe, as we saw with NotPetya [cyber attacks that occurred in Ukraine in 2017], can go worldwide,” said Fred Eslami, associate director, AM Best.

“As the definition of war becomes broader, so may the exclusion as well, which could lead to insureds with less coverage, Eslami added. “Ultimately, the coverage provided to insureds may be decided by the risk appetite of the insurer, and to a certain extent, the coverage that reinsurers are willing to provide.”

This article was originally published by Insurance Journal. Reporter Andrew Simpson was previously the Chief Content Officer of Wells Media.