Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”

This exclusion precludes coverage for “[l]oss or damage caused by a hostile or warlike action in time of peace or war … by any government or sovereign power … or by any agent of such government, power, authority or forces.”

The insurers reasoned that the malware used in the attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine” and, therefore, the exclusion unambiguously applies to preclude coverage.

The court disagreed with the insurers’ application of this exclusion and granted summary judgment in Merck’s favor. Seeming to implicitly recognize the novelty of the insurers’ argument that the exclusion applies in the cyberattack context, it reasoned that the “ordinary meaning” of the exclusion’s terms simply did not support their desired outcome:

The exclusion cites to “hostile or warlike action”. As Plaintiffs correctly note, warlike can only be interpreted as “like war”, citing to the Oxford English Dictionary.  That same dictionary defines ‘hostile’ as “of, pertaining to, or characteristic of an enemy; pertaining to or engaged in actual hostilities.” … As Plaintiff correctly notes in its brief, no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.

The court further found that the insured’s reasonable expectations must be considered.  Specifically, it determined that “both parties to this contract are aware that cyber attacks in various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks. Certainly they had the ability to do so.”

Takeaways for policyholders

As coverage disputes involving cyberattacks become more frequent and nuanced, the Merck v. Ace decision is an important win for policyholders. Many types of coverage, including cyber insurance and other policies that provide similar coverage, contain the same or an equivalent “act of war” exclusion. This decision is a step in the right direction of ensuring that insurers do not restrict coverage beyond that which was intended by the parties using language that could impact a massive subset of policyholders.

Merck v. Ace also serves as a warning to policyholders in the market for new insurance or upcoming renewals. Insurers have been taking major financial hits on claims related to cyberattacks, and are likely to continue to review and scrutinize policy language with renewed urgency. Policyholders should work with trusted brokers, risk management professionals, and coverage counsel to evaluate policy language before binding to ensure that they fully understand the scope of what they are purchasing, and flag and consider any changes that may limit, restrict, or otherwise change their coverage. Although Merck v. Ace is certainly likely to garner attention, the “act of war” exclusion is but one of many terms that are surely drawing fresh scrutiny from the insurance industry.