(Article from Insurance Law Alert, May 2023)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
A New Jersey appellate court affirmed a trial court decision granting a policyholder’s motion for summary judgment, ruling that a war exclusion does not bar coverage for property damage claims arising out of a malware attack. Merck & Co. v. Ace Am. Ins. Co., 2023 N.J. Super. LEXIS 43 (N.J. App. Div. May 1, 2023).
Background
In 2017, a malware known as NotPetya infected Merck’s global computer network systems. The infection allegedly resulted in disruptions to Merck’s operations, including its manufacturing, sales, and research and development. When Merck submitted a notice of loss to its “all-risk” property insurers, they issued reservations of rights, raising a hostile/warlike action exclusion. The insurers noted that a cyber-consultant had concluded that the cyber-attack was “very likely orchestrated by actors working for or on behalf of the Russian federation.” In ensuing litigation, a New Jersey trial court concluded that the hostile/warlike action exclusion did not apply. (See January 2022 Alert). This month, an appellate court affirmed.
Decision
The hostile/warlike action exclusion applied to:
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack: (a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces; (b) or by military, naval, or air forces; (c) or by an agent of such government, power, authority, or forces[.]
While the insurers conceded that the term “warlike” might not apply, they contended that “hostile” encompassed “antagonistic” actions that “reflect ill will or a desire to harm,” such as a malware attack by a government actor. Rejecting this contention, the court reasoned that the plain language of the exclusion “requires the involvement of military action.”
Comments
This ruling is a first of its kind in New Jersey. As such, the appellate court’s decision was based largely on general principles of insurance policy interpretation relating to the narrow construction of exclusions in all-risk policies. The court appeared troubled that application of the exclusion here would preclude coverage for “a cyberattack on a non-combatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective.”
The decision does not establish a blanket rule that cyberattacks can never be subject to a war exclusion. The court declined to delineate the precise scope of when cyberattacks might be encompassed by the exclusion, giving rise to the possibility that a different fact pattern involving a cyberattack might fall within the scope of this or similar exclusionary language. The recent updates to war exclusions that have become more common in the market may make this case instructive rather than one of broad application.