First Thoughts on the Appellate Decision in the Merck v. Ace War Exclusion Case

By Vincent J. Vitkowsky, Gfeller Laurie, LLP

In Merck v. Ace, et al., NJ App. Div., Nos. A-1879-21and A-1882-21 (decided May 1, 2023), the New Jersey Appellate Division construed a traditional “Hostile/Warlike Action” exclusion in an all-risk property policy.  The policy afforded certain cyber coverage, and the exclusion did not mention cyberattacks at all.  The Court affirmed a holding that the exclusion did not apply to the NotPetya cyberattack launched by Russia in 2017.  NotPetya spread throughout the world and caused an estimated $10 billion in losses.

The Appellate Division decision is more thoughtfully reasoned than the trial court decision was. It at least analyzed cases in which war exclusions were construed. The Court adopted the guiding principle that “similar exclusions have never been applied outside the context of a clear war or concerted military action.”  It concluded that “the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider.”

The guiding principle seems sound, but the specific conclusion may not be correct. It is not known how much of the factual record addressed or developed the connection between the cyberattack and Russia’s ongoing effort to seize and occupy Crimea, but it seems clear that it was, broadly, a part of that effort, which could be considered a “concerted military action.”  However, the Court did not see it that way.

Appeals to the NJ Supreme Court are limited, and there is no automatic right to appeal this decision. The insurers could seek certification on the argument that an important matter of public policy is involved, but that is always a long shot. Merck would argue that this is simply a question of state law insurance contract interpretation. So, the insurance industry may have to live with this decision.

For insurers, it is helpful that the decision recognized that various acts linked to a military action or objective may be excluded. It implicitly recognized that the means of war need not be bullets and bombs – but could be things like flares or Agent Orange. So, for example, even without mention of cyber operations in an exclusion, a cyberattack that had physical effects such as property loss or death, conducted clearly in the course of a military action, could be excluded. Or, with variations in wording in a policy, even economic losses might be excluded.

The most important lesson of the case is that War exclusions need to be modernized.  Not just standalone cyber insurers, but all insurers, need to include state-sponsored cyber operations in their war exclusions, to the extent the market will accept this. Some newly developed war exclusions only exclude cyber operations that are conducted in support of or part of a war or military action.  The market would seem to have little principled objection to exclusions drafted in that manner. Other exclusions of state-sponsored cyberattacks would meet more resistance, although efforts to craft versions that the market could accept are underway.

All of this leaves the industry with the original problem that war exclusions were designed to solve – massive correlated losses across multiple industries or geographic areas.  Addressing these will require the continued development of provisions addressing widespread losses or systemic risks.

Vince Vitkowsky is a partner in Gfeller Laurie LLP and a Fellow at the National Security Institute of George Mason School of Law.