War exclusion doesn't apply to Merck's $1.4B NotPetya claims, NJ court rules
Advisen
War exclusion doesn't apply to Merck's $1.4B NotPetya claims, NJ court rules
By Erin Ayers, Advisen
The traditional war exclusion on property policies should not be applied to losses caused by the June 2017 NotPetya cyber event, according to a New Jersey superior court judge in the closely-watched case between pharmaceutical giant Merck & Co. and its insurers.
On June 27, 2017, malware dubbed NotPetya infected systems around the world, causing disruption and damage for dozens of organizations. Merck fell victim, along with FedEx, shipping firm Maersk, snack-food manufacturer Mondelēz International, and many others. The event has been widely attributed to the Russian government, with Ukrainian critical infrastructure presumed to be the intended target. However, since the attackers leveraged a software vulnerability known as EternalBlue, any unpatched system remained exposed.
Merck experienced damage to 40,000 computers and other losses reaching over $1.4 billion, according to court documents. News reports indicated the damage went well beyond hardware – drug production stopped, work ground to a halt, and years of research were lost. Post-event, the company turned to its all-risks coverage with $1.75 billion in limits from a tower of over 20 insurers, including Allianz, American International Group, and Chubb. According to court documents, the policies covered loss or damage resulting from destruction or corruption of computer data and software.
Given the attribution of the event to the Russian government, Merck’s insurers denied the claim as barred by the “hostile/warlike action” exclusion standard on the majority of property insurance policies. Merck claimed NotPetya could not be considered an official state action and sued.
Reviewing relevant court cases dating back to 1922, Judge Thomas J. Walsh of the Union County Superior Court said he “unhesitatingly” agreed with Merck, finding that no court has applied the war exclusion to “anything remotely close” to the facts of the case. He added that both Merck and its insurers were aware of the increase in cyberattacks, both state-sponsored and otherwise, in the years leading up to NotPetya.
“Despite this, insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks. Certainly they had the ability to do so,” said Judge Walsh. “Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
The NotPetya event and Merck’s lawsuit, along with another high-profile dispute between Mondelez and Zurich Insurance, accelerated efforts in the insurance industry to eliminate ambiguity over cyber exposures in non-cyber policies. Since then, the “silent cyber” initiative has led much of the market to clarify terms and conditions in traditional lines of coverage, either affirming or expressly excluding cyber-related losses.
