A New Jersey appeals court has ruled that an exclusion for “hostile/warlike action” in insurance policies covering “all risks” did not prevent a pharmaceutical company, Merck & Co., from claiming damages resulting from a cyberattack. The ruling was issued on May 1 by the New Jersey Superior Court’s Appellate Division.
In June 2017, Merck’s computer and network systems were infected with NotPetya malware, which caused more than $1.4 billion in losses. The malware entered the systems through accounting software made by a Ukrainian company.
Merck filed a claim for damages with its insurers, which was contested by eight of them, including Aspen Insurance, the HDI Global Insurance Co., the National Union Fire Insurance Co. of Pittsburgh, Syndicate No. 1183 at Lloyd’s London, the Zurich American Insurance Co., Mapfre Global Risks, Compañia Internacional de Seguros y Reaseguros, and the Vienna Insurance Group.
The insurers argued that the exclusion for “hostile/warlike action” applies when a government or a sovereign power takes action that reflects ill will or intent to harm. They contended that the NotPetya virus was linked to the Russian Federation, implying that the exclusion should apply.
However, the appeals court disagreed, stating that “military action” is required before invoking the exclusion. The court noted that the plain language of the exclusion did not include a cyberattack on a nonmilitary company that provided accounting software for commercial purposes to nonmilitary consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’
The ruling has significant implications for the insurance industry and could potentially lead to more claims from companies that have suffered losses due to cyberattacks. The decision suggests that insurance policies with similar exclusion clauses may not be effective in preventing cyberattack claims.
Merck was insured under 26 all-risks policies at the time of the cyberattack. Several insurers reached settlements before the appeal, leaving eight insurers to contest the claim. The insurers will now have to pay the damages claimed by Merck unless they appeal the ruling further.
The ruling highlights the importance of carefully reviewing insurance policies and the exclusions they contain. Companies should consider the potential risks they face and ensure that their insurance policies provide adequate coverage for those risks.
Cybersecurity threats have become a significant concern for businesses, particularly as more companies operate online and store sensitive data digitally. Cyberattacks can cause significant financial losses and reputational damage. Having adequate insurance coverage is essential to protect against these risks.
The New Jersey appeals court’s ruling in favor of Merck & Co. Inc. has significant implications for the insurance industry, particularly with respect to policies that include exclusions for “hostile/warlike action.” The decision suggests that these exclusions may not be effective in preventing cyberattack claims. The ruling highlights the importance of carefully reviewing insurance policies and ensuring that they provide adequate coverage for potential risks.