Last month the Superior Court of New Jersey ruled insurers cannot use a policy exclusion to avoid covering about $1.4 billion in damages Merck & Co. said it suffered from a spring 2017 cyber attack known as NotPetya.
The court “unhesitatingly” found that the nearly identical war exclusions contained within Merck’s all-risk property policies worth about $1.75 billion do not apply, according to a decision made public Jan. 13.
The insurers had tried to use the exclusions to avoid paying out, citing the fact the NotPetya malware was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine. The malware wound up affecting thousands of companies worldwide.
Judge Thomas J. Walsh said Merck and its insurers were aware that “cyber attacks of various forms, sometimes from private sources and sometimes from nation-states, have become more common,” but the insurers “did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks.”
“Certainly [insurers] had the ability to do so,” Walsh added. Therefore, Merck’s expectation that the exclusion only applied to “traditional forms of warfare” was justified.
“We are not going to be coy about this—we think the decision is wrong,” wrote Joshua Mooney and Judy Selby, partners at law firm Kennedys. The pair took exception with the court’s use of “traditional” while it ignored the meaning of hostile acts.
“The decision relies upon case law rendered before the Internet existed and before ‘cyber’ was a word,” Mooney and Selby continued. “The reasoning of this decision looks backward to a century past, and we believe it will not age well.”
While the verdict is specific to New Jersey law and subject to appeal, it is for now a win for policyholders. In the meantime, the ruling “highlights the risk for P/C insurers and reinsurers of cyber coverage embedded in traditional P/C policies,” Moody’s Investor Service said recently. Indeed, the New Jersey court’s interpretation of the war exclusion is a warning against not including “cyber” within it, experts have said.
The insurance industry since NotPetya has been seeking clarity, making efforts to shore up policy language in order avoid any perception of ambiguity by adding cyber-specific exclusions to property and liability contracts. The cyber attack also attracted the attention of regulatory scrutiny of so-called “silent cyber” exposure in all policies. Moody’s said reinsurers have “broadly included cyber exclusions on property treaties to ensure that cyber risk is not inadvertently included.”
Late last year, the Lloyd’s Market Association released four model war and cyber war exclusions. Vincent Vitkowsky, partner at law firm Gfeller Laurie, said the exclusions are “not perfect” and there is some room for dispute of some terminology. But, he added, the exclusions “reflect a well-reasoned, serious attempt to reduce some of the uncertainties over the scope of coverage for state and state-sponsored attacks.”
Meanwhile, another similar case in the Illinois court system is also testing policy war exclusions as Mondelez International is seeking summary judgment against Zurich Insurance. Mondelez, one of the largest snack companies in the world, was also a victim of the NotPetya cyber attack and is seeking $100 million in coverage it has been denied.