The War and Hostile Action Exclusions have been standard exclusions in property and general liability policies for decades. With the rise of cyber claims, insurers have turned to these exclusions to deny coverage where the bad actor may have governmental roots. In a win for policyholders, the New Jersey Appellate Division rejected the insurers’ attempt to deny coverage and held that the hostile/warlike action exclusion did not apply to non-military, cyber-attack claims. See Merck & Co. v. ACE American Insurance Co.1 This ruling affirms the traditional scope of these exclusions and establishes that coverage under a commercial property policy for property damage caused by cyber-related incidents, colloquially known as “silent cyber” coverage, persists.
Merck & Co. v. ACE American Insurance Co.
On June 27, 2017, New Jersey pharmaceutical company, Merck & Co. (“Merck”), suffered a cyber-attack that left thousands of Merck’s computers damaged and encrypted by the malware known as NotPetya. The malware caused large-scale disruption to Merck’s business, resulting in $699,475,000 in losses. Although the exact origin of the malware was unknown, it was believed to have originated from the Russian Federation.
Merck tendered the claim to its all-risk property insurance carriers. The insurers reserved their right to deny coverage pursuant to hostile/warlike action exclusions and then subsequently denied coverage. Specifically, these exclusions exclude coverage for “loss or damage caused by hostile or warlike action” which was caused by “any government or sovereign power . . . or by military, naval or air forces . . . or by an agent of such government . . . .”2 The insurers argued that the word “hostile” should be broadly read to mean any antagonistic, unfriendly, or adverse action by a government or sovereign power, including the Russian Federation. Rejecting the insurers’ argument, the trial court held that the hostile/warlike action exclusions were inapplicable to the NotPetya related claims. The insurers appealed.
The New Jersey Court of Appeals Narrowly Construed the Hostile/Warlike Action Exclusion
On appeal, the Court looked to the plain and ordinary meaning of the exclusion. In particular, the Court focused on the meaning of “hostile” and “warlike action” as well as examined the historical context of war exclusions. Analyzing cases involving agent orange, aerial flares, mines, as well as the international definition of war,3 the Court found that the war exclusion only applied to actual war or combat in the traditional sense, to war in the ordinary and usual sense, and to “war” as defined by international law. Furthermore, the hostile/warlike action exclusions must be narrowly construed to the specific activity that fell within the traditional meaning of “war.” Accordingly, the Court held that the hostile/warlike action exclusion required evidence of military action or objectives by a sovereign power against another and did not apply to all government actions motivated by ill will.
In Merck, the carriers failed to show enough of a connection to military action or objective to implicate these exclusions. NotPetya initially infiltrated a company that developed M.E. Doc, an accounting software used by Merck and other Ukrainian companies. After this first infection, the malware spread to many different computers across the world. At its most basic level, the NotPetya claims arose from a non-military attack on a software provider.
Lessons Learned from Merck
Focusing on NotPetya’s non-military application, the Merck Court concluded that the initial attack was perpetrated on a non-military company with non-military customers. Therefore, acts by private individuals, organizations, or governments and sovereign powers against private, non-military organizations do not implicate the hostile/warlike action exclusion.
The Court’s narrow application suggests that the “hostile or warlike action” exclusion will likely only be applicable to claims involving cyber-attacks against governmental entities or military groups. Had the original NotPetya attack been on a military or government entity or affiliate, the outcome of the case may have been different. Based on the Court’s analysis, malware deployed by a sovereign power as a form of aggression against another sovereign power would likely implicate the hostile/warlike action exclusion. Although an action of this kind may not be considered a “war” in the traditional sense, it certainly could be considered hostile action committed by one sovereign power against another, as long as the malware deployment had sufficient ties to a military action or objective.
In sum, while this decision preserves the possibility of policyholders benefitting from the so called “silent cyber” coverage under their commercial property policies, this case demonstrates that the line between cyber-warfare and criminal malware attacks is highly fact specific. Further, as designated Crime and/or Cyber products often only provide narrow coverage for cybercrimes, neither are a perfect solution to the uncertainty arising from cyber claims. As demonstrated by this case, the difference between having a covered claim or being stuck paying out of pocket can often come down to the interpretation of just a couple of words and understanding the actual scope of that coverage.
For more information on this topic, contact Janie Eddy at JEddy@sdvlaw.com.
Special thanks to Nicolas Berube for contributing to this Case Alert.
1Merck & Co. v. Ace Am. Ins. Co., 293 A.3d 535 (N.J. App. Div. 2023).
2Id. at 539.
3See Diamond Shamrock Chemicals Co. v. Aetna Cas. & Sur. Co., 609 A.2d 440 (N.J. App. Div. 1992); Int'l Dairy Eng'g Co. of Asia v. Am. Home Assur. Co., 352 F. Supp. 827 (N.D. Cal. 1970), aff'd, 474 F.2d 1242 (9th Cir. 1973); Stanbery v. Aetna Life Ins. Co., 98 A.2d 134 (N.J. Super. Law. Div. 1953); Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989 (2d Cir. 1974).