A New
Jersey appeals court affirmed summary judgment for insured pharmaceutical company
Merck in a cyber coverage dispute regarding a “Hostile/Warlike Action”
exclusion included in a $1.75 billion “all risks” property insurance program. Merck
& Co., Inc. v. Ace American Ins. Co., No. A-1879-21, A-1882-21, 2023 WL
3160845 (N.J. Sup. Ct. App. Div. 2023).
Merck and
other companies doing business in Ukraine used a third-party system (M.E. Doc)
for processing and transmitting invoices, tax, and other financial data to the
Ukrainian government. On June 27, 2017, a malware known as NotPetya infected
Merck’s computer and network systems through an M.E. Doc software update.
Threat actors accessed M.E. Doc source code and software infrastructure
distribution and pushed updates that allowed the threat actors to access
customer systems. Using this update method, Merck received malicious updates
through their servers located in Ukraine, which regularly checked for new
versions of M.E. Doc. After gaining access to Merck’s computer and network
systems, NotPetya attempted to encrypt certain data on the system. The
encryption rendered the data and systems inaccessible and inoperable. After
encrypting the data, the ransomware pushed a message offering a description key
in exchange for payment of a ransom. NotPetya infected over forty thousand
(40,000) machines in Merck’s network. Merck claimed the malware caused production
facilities and critical applications to go offline and created massive
disruptions to its manufacturing, research and development, and sales
operations. Merck reported the NotPetya attack to multiple insurers under its
“all risks” property insurance program, seeking coverage for more than $699
million in losses.
The Hostile/Warlike
Action exclusion at the center of this dispute excluded loss or damage caused
by “hostile or warlike action in time of peace or war, including… hindering,
combating, or defending against an actual, impending, or expected attack: (a)
by any government or sovereign power… or by any authority maintaining or using
military, naval, or air forces; (b) or by military, naval or air forces; (c) or
by an agent of such government, power, authority, or forces.” Most of Merck’s
insurers denied coverage under this exclusion, reasoning the NotPetya
cyberattack was very likely orchestrated by actors working on behalf of the
Russian Federation. Merck filed suit against its insurers seeking declaratory
judgment that the exclusion did not apply and that it was entitled to coverage
for its losses from the NotPetya attack. The trial court granted summary
judgment for Merck finding the Hostile/Warlike Action exclusion did not apply. On
appeal, the Insurers argued summary judgment in favor of Merck was improper
because the word “hostile” as used in the exclusion should be read in the
broadest sense. Under the Insurers’ interpretation, any action that reflects
ill will or a desire to harm by the actor should fall within the Hostile/Warlike
Action exclusion, as long as the actor was a government or sovereign power.
The New
Jersey appeals court affirmed summary judgment for Merck and held the Hostile/Warlike
Action exclusion did not apply. The court emphasized the need for “plain
language pertinent to the situation to permit the enforcement of an exclusion.”
The exclusion must be “clear and specific” and the conclusion that the
circumstances fall within the scope must be “evident.” The court found coverage
only could be excluded in this instance if it “stretched the meaning of
‘hostile’ to its outer limit”, which would conflict with the basic principles
of policy construction. The court also examined the history of war exclusions
in insurance policies in general and found they had never been applied outside
the context of “a clear war or concerted military action,” which argued against
applying the exclusion to a cyberattack. The court concluded the
Hostile/Warlike Action was inapplicable to bar coverage for Merck’s losses for
the NotPetya attack.
The Merck decision is significant as it has maintained an avenue for insureds to seek coverage for cyberattacks under standard property policies, rather than solely under cyber-specific policies. The decision highlights the importance of conscientious underwriting with cyber claims in mind for all lines of insurance so that carriers are not unwittingly exposed to coverage for cyberattacks where none was intended
