After Important Cyber Insurance Victory for Policyholders, Focus Turns to Insurers’ Proposed Changes to War Exclusions

14 Juni 2023

A recent appellate court decision could help policyholders secure insurance coverage for losses arising out of state-sponsored cyberattacks. In Merck & Co., Inc. v. ACE American Ins. Co., the Superior Court of New Jersey Appellate Division ruled that a war exclusion similar to those found in many cyber insurance policies did not bar coverage for losses caused by a 2017 cyberattack that arose out of the ongoing conflict between Russia and Ukraine. The Merck decision is the first appellate court decision to consider whether a war exclusion applies to a state-sponsored cyberattack. As the insurance industry reacts to the Merck decision and the ongoing threat of state-sponsored cyberattacks, policyholders should pay close attention to any proposed endorsements or other policy language changes that implicate the war exclusion or otherwise attempt to restrict coverage for state-sponsored cyberattacks.

The Merck Decision

In June 2017, the NotPetya cyberattack quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. According to a White House statement issued a few months later, it was “the most destructive and costly cyberattack in history.”1 In a departure from past policy, the US Government expressly blamed Russia for the attack, calling it “part of the Kremlin’s ongoing effort to destabilize Ukraine.”2 Even though Ukraine was believed to be the primary target of the attack, many US companies suffered collateral damage, including Merck & Co., Inc. (Merck), which submitted a claim for more than US$1.4 billion in losses under several “all risk” property insurance policies. Merck’s insurers denied coverage, citing several almost identical war exclusions that barred coverage for loss or damage caused by “hostile or warlike action” by “any government or sovereign power.” 

On 1 May 2023, the Superior Court of New Jersey Appellate Division rejected the insurers’ argument that the war exclusion barred coverage for losses arising out of the NotPetya cyberattack.3 Recognizing that policy exclusions must be construed narrowly, the court concluded that “hostile or warlike action” needed to involve more than “ill will or a desire to harm” by a government or sovereign power and, at a minimum, needed to involve “military action.” As the court explained, cases involving similarly worded exclusions demonstrate a common understanding that terms similar to “hostile or warlike action” by a sovereign power are “intended to relate to actions clearly connected to war or, at least, to a military action or objective.” According to the court, “the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.” 

Cyber-Insurance Implications

Like the property insurance policies at issue in the Merck case, most stand-alone cyber insurance policies also have a war exclusion. While the specific language varies from policy to policy, cyber policies often exclude coverage for loss or damage arising out of “war,” “warlike action,” “action by a military force,” or “invasion.” Many cyber policies, however, now also include a “cyberterrorism” exception to the war exclusion, which preserves coverage if the exception to the core exclusion applies. Once again, the specific policy language varies, but cyber policies sometimes define “cyberterrorism” quite broadly, to include attacks against computer systems with the “intent to cause harm” in furtherance of “social, ideological, religious, economic or political objectives.” 

Given this structure, the application of a war exclusion to a state-sponsored cyberattack will often require a two-part analysis: (a) does the core exclusion bar coverage in the first instance; and (b) if so, does the cyberterrorism exception apply? As is the case with other exclusions, the insurer would likely bear the burden of proving that the core exclusion applies (which may be difficult if the origin of the attack is unclear), while the policyholder (depending on applicable law) may bear the burden of proving that the exception applies. The Merck case is relevant to the first part of the analysis. Accordingly, policyholders are now equipped with appellate law holding that a war exclusion applies only to loss or damage that is clearly connected to war or some other form of traditional military action. Even if the war exclusion applies to a specific cyberattack in the first instance, the cyberterrorism exception (the second part of the analysis) may nonetheless preserve coverage. 

Policyholders should also be aware that, going forward, some insurers are revising their cyber insurance policies in an attempt to exclude coverage for state-sponsored cyberattacks. Lloyd’s of London, for example, has introduced four model exclusions that seek to bar coverage for loss or damage that arises out of “cyber operations” by or on behalf of a state to “deny, degrade, manipulate or destroy information in a computer system of or in another state.”4 These model exclusions differ in language, but each exclusion contains a provision stating that the “primary” factor in determining attribution of a cyber operation “shall be whether the government of the state . . . in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.” It remains to be seen whether insurers outside of the London insurance market will introduce similar exclusions, but policyholders should pay close attention to any proposed endorsements or other policy language changes that implicate the war exclusion or otherwise attempt to restrict coverage for state-sponsored cyberattacks. 

Conclusion

The Merck decision provides policyholders with a well-reasoned appellate court decision that they can use to push back against insurer arguments that the war exclusion bars coverage for state-sponsored cyberattacks, but some insurers may now introduce new policy language that restricts coverage for state-sponsored cyberattacks. Accordingly, policyholders should review their insurance policies in light of recent developments and carefully consider any proposed changes to the war exclusion at renewal.