Companies seeking insurance coverage for losses from cyberattacks received good news this month. The New Jersey Superior Court for Union County found that Merck & Co., Inc.’s claim for coverage under their $1.75 billion insurance policy with ACE American Insurance Company (now The Chubb Corporation) is not barred by the policy’s war exclusion clause. Merck successfully asserted their expectation that the exclusion only bars claims resulting from “traditional forms of warfare.”
This case sends a strong signal from the judiciary to carriers: attempting to shoehorn cyberattacks into exclusions that were intended to cover completely separate circumstances will not work. As the court notes in its decision, insurers are well aware of the prevalence of malware and other cyberattacks by domestic and foreign actors. If they intend to exclude such incidents form coverage they should do so explicitly.
Merck, along with its insurer International Indemnity, Inc., had purchased an “all risks” property insurance policy from ACE for loss or damages resulting from corruption or destruction of their computer data and software. On June 27, 2017, Merck’s computer systems were infected by the notorious NotPetya malware that also infected computer systems around the globe. Merck claims that the malware infected 40,000 of its computers, resulting in damages of more than $1.4 billion. The NotPetya malware was determined by many experts to be a cyber weapon launched by Russia primarily against Ukraine.
ACE sought to deny coverage claiming that the damages were not covered because of the War/Hostile Acts Exclusion clauses in the policy.
The parties to the suit filed cross-motions for summary judgment relative to the policy exclusion clauses.
Judge Thomas J. Walsh noted that the insurance contracts were “all risks” policies which “creates a ‘special type of insurance’ extending to risks not usually contemplated, and recovery under the policy will generally be allowed, at least for all losses of a fortuitous nature, in the absence of fraud or other intentional misconduct of the insured, unless the policy contains a specific provision expressly excluding the loss from coverage.”
Judge Walsh noted that the words “hostile or warlike action” must be given their ordinary meaning. Merck urged that the acts contemplated by the exclusion clause would involve acts by armed forces and argued that all the case law on the war exclusion supported this interpretation.
In considering the ordinary meaning of the war exclusion clause combined with the relevant case law, the Court “unhesitatingly finds that the exclusion does not apply.”
The judge noted that both parties to the insurance policy certainly were aware of the existence of cyber attacks, yet ACE did not change the language of the exemption to state that the exclusion would include such attacks. With that, the court found Merck’s expectation that the exclusion only applied to traditional forms of warfare was reasonable.
Scott Godes of Barnes & Thornburg LLP has for many years represented policyholders in complex coverage matters, including those relating to cyber losses. He told the MoginRubin Blog that the court rejected what he called “the insurance carriers’ efforts to over-reach” by applying the war exclusion to a cyber-attack. “This decision is good news for policyholders facing arguments from claims adjusters or carrier-side coverage counsel that ‘war exclusions’ apply broadly to other cyber events.”
A similar case is pending in Illinois Circuit Court for Cook County, where Mondelez International seeks summary judgment against Zurich Insurance Group Ltd. for coverage of losses it suffered during its NotPetya attack. The global snack-food maker, with brands like Oreo cookies, Ritz crackers and Philadelphia cream cheese, saw 1,700 servers and 24,000 laptops wiped clean by the attack. Mondelez seeks $10 million from its carrier.
It will be interesting to see how insurance companies and their insureds negotiate the terms of all-risks policies and their exclusions going forward.