Skip to content
LPBN-Icon-v1 (1)
Legal Profession Blog
A Member of the Law Professor Blogs Network

War And Insurance

By Michael Frisch

The New Jersey Appellate Court affirmed the grant of insurance coverage for a cyberattack on Merck

On leave to appeal, we consider whether plaintiff Merck & Co., Inc.  (plaintiff or Merck) is entitled to insurance coverage under the “all risks” property insurance policies issued by defendants after a cyberattack infected and damaged thousands of plaintiff’s computers in its global network. Defendants denied coverage under the “Hostile/Warlike Action” exclusion included in all their policies. The trial court granted plaintiffs’ summary judgment motions, finding the exclusion did not apply to plaintiffs’ claims. 

In considering the plain language of the exclusion, and the context and history of its application, we conclude the Insurers did not demonstrate the exclusion applied under the circumstances of this case, namely, that this cyberattack was a “hostile” or “warlike” action as contemplated under the exclusion. Therefore, we affirm.

The attack

On June 27, 2017, a malware known as NotPetya infected Merck’s computer and network systems. Prior to that date, someone had gained access to the computer systems of a Ukrainian company that had developed an accounting software called M.E. Doc used by Merck and other companies in Ukraine. The NotPetya malware was delivered into the accounting software.

Its effects

Within ninety seconds of the initial infection, approximately 10,000 machines in Merck’s global network were infected by NotPetya; about 20,000 machines were infected within five minutes. Ultimately, over 40,000 machines in Merck’s network were infected. Merck contends the malware “caus[ed] production facilities and critical applications to go offline and create[ed] massive disruptions to Merck’s operations, including its manufacturing, research and development, and sales operations.”

The NotPetya malware spread to at least sixty-four different countries, including Russia.

Plain language

the plain language of the exclusion does not support the Insurers’ interpretation. The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will.

…We agree with the trial court that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a “government or sovereign power.”

A 1922 precedent involved ships traveling in a convoy that collided during World War One

The reason the ships were traveling in a convoy was due to the presence of war. But because the shipping was wholly commercial and the collision was directly caused by faulty navigation, the court did not find the “but for” link to the war sufficient to incur coverage under the war risk policy. Similarly, here, the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.

Thus

Contrary to the Insurers’ contentions, these cases demonstrate a long and common understanding that terms similar to “hostile or warlike action” by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.

(Mike Frisch)

Posted in:
Current Affairs