Insurance companies can’t deny Ransomware attack payment, citing “Acts of War” clause

In a cyberattack coverage dispute that involved $1.4 billion, an appeals court in New Jersey issued a ruling that had the potential to set a precedent in favor of Merck & Co. Inc. The court held that a group of insurers cannot use the fact that there is now a war as a basis to exclude Merck from coverage for the cyberattack that occurred in 2017. The NotPetya hack caused widespread disruption to computer networks throughout the globe, and thousands of machines owned by Merck were affected.

The all-risk insurance that Merck had with Ace American for $1.75 billion covered coverage for occurrences that led to the loss of software data. However, the insurer did not pay out, citing a “Acts of War” inclusion clause in their decision. This was due to the fact that NotPetya was caused by a cyberattack that was supported by Russia against Ukrainian entities. The majority of insurance contracts have the language, however Merck maintained that the exclusion did not apply since the consequences it incurred were not connected to military activity. The clause is found in the majority of insurance policies. The court reached the same conclusion as the parties and decided that the NotPetya cyberattack did not constitute any kind of military action and hence cannot be denied coverage under the pretext of a warlike conduct exclusion.

According to the decision, “coverage could only be excluded in this circumstance if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various noncombatant customers, all wholly outside of the context of any armed conflict or military objective.”

The statement went on to say that “but that approach would conflict with our fundamental construction principles that require a court to narrowly construe an insurance policy exclusion.” In an exclusion, a word or phrase’s particular, obvious, clear, and conspicuous meaning, as well as its clear import and purpose, do not equal to the phrase or word’s widest possible interpretation; rather, it equates to the phrase’s smallest possible interpretation.

The lawsuit originated as a result of the consequences that Merck experienced as a result of the NotPetya catastrophe. According to the complaint, “within 90 seconds of the initial infection, approximately 10,000 machines in Merck’s global network were infected,” and within five minutes, nearly 20,000 additional machines were infected with the malicious software. More than 40,000 computers across the pharmaceutical company’s global network were compromised by the virus.

The corporation is reported to have incurred losses of $1.4 billion due to interruptions in production and manufacturing, costs paid to third-party cyber firms, and the expense to replace each system that was adversely affected.

At the time of the hack, Merck had an all-risk insurance with Ace American for $1.75 billion. One of the policy’s provisions was coverage for incidents that resulted in the loss of software data. However, the insurer did not pay out, citing a “Acts of War” inclusion clause in their decision. This was due to the fact that NotPetya was caused by a cyberattack that was supported by Russia against Ukrainian entities.

The phrase is included in the vast majority of insurance plans; nevertheless, Merck maintained that the exclusion did not apply to its situation since the effects it endured were not the result of a cyberattack launched by a nation-state.

In the original complaint that Merck filed in August 2018, it was observed that the exclusion provision did not apply to any cyber-related occurrences and only applied to assaults that were officially sanctioned by the government.

A judgement handed out by the New Jersey Superior Court in December 2021 decided against Ace American and “unhesitatingly” granted Merck’s petition for partial summary judgment. The court came to the conclusion that the hostile/warlike conduct exclusion did not apply to limit coverage for Merck’s damages that were caused by NotPetya. After then, the insurer filed an appeal, arguing that the lower court erred in its decision.

The argument in favor of Merck stated that in order to guarantee adequate insurance coverage, “accepting the insurers’ interpretation of the hostile/warlike exclusion would operate to change the settled meaning of war exclusions and… also threaten to undo the policy interpretation rules that local governments have historically relied upon.”

The judgement that was handed down this week puts an end to a protracted legal struggle and mandates that Ace American pay the losses that were sustained by Merck.

This ruling is being hailed as a big success for businesses who are pursuing claims for cyberattacks, particularly in light of the fact that hackers with ties to unfriendly nation-states have ramped up their threat activities in the form of supply chain assaults, ransomware, and other forms of destructive threats. It is anticipated that the judgement would make it simpler for businesses to get their claims compensated in the event that a forensic examination reveals a state-linked actor to be related to an attack. The ruling should also benefit the insurance sector as a whole by motivating insurers to at the very least review their policies and update them with any appropriate exclusions in order to stay abreast of the complicated and evolving cyber world.