Merck Court Win Could Redefine Cyberattack Coverage
In 2017, Merck & Co., a New Jersey-based multinational pharmaceutical company, fell victim to the NotPetya malware attack, resulting in damages exceeding $1.4 billion and affecting more than 40,000 of its computers.
When Merck claimed this damage under its insurance policies, the insurers denied coverage, invoking a war exclusion clause and arguing that Russia, the alleged origin of the malware, used NotPetya as part of its ongoing hostilities against Ukraine.
The New Jersey appellate court held that the war exclusion clause did not apply to cyberattacks.
The court’s decision was grounded in the nature of Merck’s “all-risk” insurance policies, which cover any risk unless explicitly excluded. In this context, the court noted that such a policy would provide coverage against the risk of loss or damage caused by malware, absent a specific exclusion.
The court contested the insurers’ argument that the war exclusion clause applied to the NotPetya cyberattack.
Upon reviewing the historical application of such exclusions, the court found that they had never been used outside the context of clear war or concerted military action. This led the court to conclude that traditional war exclusions should not be applied to damages caused by malware or cyberattacks.
The court noted there is an increasing prevalence of cyberattacks, yet the insurers had not updated their exclusions to explicitly state that damages from such attacks were not covered.
This decision communicates a crucial message to the insurance industry.
Scorecard: “Court rules: malware ≠ war.”
Takeaway: Insurers who do not modify the language of their war exclusions to encompass cyberattacks may find courts unsympathetic to their stance. This ruling also underscores for corporate purchasers of insurance that traditional war exclusions may not necessarily deny coverage for cyberattacks. &