A New Jersey appeals court affirmed summary judgment for insured pharmaceutical company Merck in a cyber coverage dispute regarding a “Hostile/Warlike Action” exclusion included in a $1.75 billion “all risks” property insurance program. Merck & Co., Inc. v. Ace American Ins. Co., No. A-1879-21, A-1882-21, 2023 WL 3160845 (N.J. Sup. Ct. App. Div. 2023).   

Merck and other companies doing business in Ukraine used a third-party system (M.E. Doc) for processing and transmitting invoices, tax, and other financial data to the Ukrainian government. On June 27, 2017, a malware known as NotPetya infected Merck’s computer and network systems through an M.E. Doc software update. Threat actors accessed M.E. Doc source code and software infrastructure distribution and pushed updates that allowed the threat actors to access customer systems. Using this update method, Merck received malicious updates through their servers located in Ukraine, which regularly checked for new versions of M.E. Doc. After gaining access to Merck’s computer and network systems, NotPetya attempted to encrypt certain data on the system. The encryption rendered the data and systems inaccessible and inoperable. After encrypting the data, the ransomware pushed a message offering a description key in exchange for payment of a ransom. NotPetya infected over forty thousand (40,000) machines in Merck’s network. Merck claimed the malware caused production facilities and critical applications to go offline and created massive disruptions to its manufacturing, research and development, and sales operations. Merck reported the NotPetya attack to multiple insurers under its “all risks” property insurance program, seeking coverage for more than $699 million in losses.

The Hostile/Warlike Action exclusion at the center of this dispute excluded loss or damage caused by “hostile or warlike action in time of peace or war, including… hindering, combating, or defending against an actual, impending, or expected attack: (a) by any government or sovereign power… or by any authority maintaining or using military, naval, or air forces; (b) or by military, naval or air forces; (c) or by an agent of such government, power, authority, or forces.” Most of Merck’s insurers denied coverage under this exclusion, reasoning the NotPetya cyberattack was very likely orchestrated by actors working on behalf of the Russian Federation. Merck filed suit against its insurers seeking declaratory judgment that the exclusion did not apply and that it was entitled to coverage for its losses from the NotPetya attack. The trial court granted summary judgment for Merck finding the Hostile/Warlike Action exclusion did not apply. On appeal, the Insurers argued summary judgment in favor of Merck was improper because the word “hostile” as used in the exclusion should be read in the broadest sense. Under the Insurers’ interpretation, any action that reflects ill will or a desire to harm by the actor should fall within the Hostile/Warlike Action exclusion, as long as the actor was a government or sovereign power.

The New Jersey appeals court affirmed summary judgment for Merck and held the Hostile/Warlike Action exclusion did not apply. The court emphasized the need for “plain language pertinent to the situation to permit the enforcement of an exclusion.” The exclusion must be “clear and specific” and the conclusion that the circumstances fall within the scope must be “evident.” The court found coverage only could be excluded in this instance if it “stretched the meaning of ‘hostile’ to its outer limit”, which would conflict with the basic principles of policy construction. The court also examined the history of war exclusions in insurance policies in general and found they had never been applied outside the context of “a clear war or concerted military action,” which argued against applying the exclusion to a cyberattack. The court concluded the Hostile/Warlike Action was inapplicable to bar coverage for Merck’s losses for the NotPetya attack.

The Merck decision is significant as it has maintained an avenue for insureds to seek coverage for cyberattacks under standard property policies, rather than solely under cyber-specific policies. The decision highlights the importance of conscientious underwriting with cyber claims in mind for all lines of insurance so that carriers are not unwittingly exposed to coverage for cyberattacks where none was intended