Sovereign nation states have been behind (or suspected of being behind) some of the worst cyberattacks. When a cyberattack has state involvement, the inevitable question is whether it constitutes an act of war. The answer can have a profound impact on insurance coverage because virtually every insurance policy has a war exclusion. In a case of first impression, a New Jersey trial court recently addressed whether a war exclusion applied to losses arising from the NotPetya cyberattack in 2017.
The United States and several other countries contended that Russia was responsible for launching the NotPetya attack to destabilize Ukraine. NotPetya quickly spread beyond its intended targets in Ukraine, causing collateral damage to millions of computers worldwide. Among the many impacted organizations was the pharmaceutical company, Merck & Co. Inc., which suffered damage to 40,000 of its computers, costing it more than $1.4 billion.
Merck sought coverage from its property insurers. Merck’s property insurance policies included coverage for damage to computer programs and software. Merck’s insurers, however, denied coverage, based on the war exclusion. In the ensuing insurance coverage litigation, the parties cross moved for summary judgment. The insurers argued that the war exclusion applied because Russia released NotPetya as part of hostilities against Ukraine. Merck challenged whether the war exclusion applied to cyberattacks at all.
Agreeing with Merck (and granting summary judgment in its favor), the Superior Court of New Jersey held that “the war exclusion applied only to traditional forms of warfare.” The court considered the ordinary meanings of the exclusion’s key terms, “hostile” and “warlike,” finding that they signified the use of armed forces in combat involving two or more nations or states.
The court surveyed prior caselaw relating to the war exclusion, finding that no court had applied it to anything “remotely close to the facts herein.” The court highlighted that the word “war” should be given its “ordinary, usual and realistic meaning,” that is, “actual hostilities between the armed forces of two or more nations or states de facto or de jure.”
The court found compelling that the war exclusion had remained virtually the same for many years, despite the rise of cyberattacks. The court noted that the insurers could have modified the exclusion, yet they failed to do so.
The Merck decision shows that courts will not easily be swayed by insurers’ attempts to deny coverage for cyberattacks based on the war exclusion. Although the Merck decision is a trial-level opinion, its reasoning is unequivocal. Citing the “plain meaning” of the exclusion, the court “unhesitatingly” found that it did not encompass the cyberattack. At no point did the court even suggest that the insurers’ interpretation was reasonable.
Unfortunately, policyholders who experience cyberattacks have not heard the last of the war exclusion. Insurers will likely continue to assert that it applies to state-sponsored cyberattacks. In a case currently pending in Illinois, another insurer is asserting that the war exclusion precludes coverage for its insured’s NotPetya losses.
In addition, insurers may react to the Merck decision by modifying the war exclusions in their policies. The Lloyd’s Market Association has published several model war exclusions that introduce cyber-related terminology. Although such modifications may help insurers distinguish the Merck decision, they are unlikely to put an end to disputes over the war exclusion. New controversies are bound arise over the interpretation of the new terminology and whether it applies in a particular situation.
The Merck decision provides much needed guidance on the interplay between cyberattacks and the war exclusion. Due to the potential for state-sponsored cyberattacks to cause losses on a global scale, however, policyholders, insurers, and courts will continue to grapple with the war exclusion. Policyholders should watch for insurers’ attempts to modify the war exclusion, particularly in their cyber insurance policies, and, in the event of a claim, scrutinize insurers’ attempts to utilize the war exclusion to deny coverage.
 Opinion, Merck & Co. v. ACE American Insurance Co., No. UNN-L-2682-18 (N.J. Super. Ct. Law Div. Jan. 13 2022).
 See Mondelez International, Inc. v. Zurich American Ins. Co., No. 2018LO11008 (Ill. Cir. Ct.).
 Gareth Corfield, “Don’t panic about cyber insurers pulling up the drawbridge, says Lloyd’s,” The Register, (December 9, 2021), theregister.com/2021/12/09/lloyds_lma_cyber_insurance_clauses.