Exclusion does not preclude coverage of cyberattacks

Merck obtains summary judgment against ACE (Chubb) for malware losses.

Companies looking for insurance coverage for losses caused by cyberattacks received good news this month. The New Jersey Superior Court for Union County has found that Merck & Co., Inc.’s claim for coverage under their $1.75 billion insurance policy with ACE American Insurance Company (now The Chubb Corporation) is not prohibited by the war exclusion clause of the policy. Merck successfully asserted its expectation that the exclusion only bar claims arising out of “traditional forms of warfare”.

This case sends a strong legal signal to carriers that attempting to push cyberattacks into exclusions meant to cover completely separate circumstances will not work. As the court noted in its decision, insurers are well aware of the prevalence of malware and other cyberattacks by domestic and foreign actors. If they intend to exclude these incidents from coverage, they must do so explicitly.

Merck, along with its insurer International Indemnity, Inc., had taken out an “all risk” property insurance policy with ACE for loss or damage resulting from the corruption or destruction of their computer data and software. On June 27, 2017, Merck’s computer systems were infected with the notorious NotPetya malware which also infected computer systems around the world. Merck says the malware infected 40,000 of its computers, resulting in more than $1.4 billion in damages. NotPetya malware has been determined by many experts as a cyber weapon launched by Russia mainly against Ukraine.

ACE sought to deny coverage claiming the damage was not covered due to the policy’s war/hostile act exclusion clauses.

The parties to the lawsuit filed summary judgment counterclaims with respect to the policies’ exclusion clauses.

Judge Thomas J. Walsh noted that insurance contracts were “all risk” policies that “create a ‘special kind of insurance’ extending to risks usually not contemplated, and recovery under the policy will generally be permitted, at least for all losses from a fortuitous event, in the absence of fraud or other intentional fault of the insured, unless the policy contains a specific provision expressly excluding the loss from coverage.

Justice Walsh noted that the words “hostile or warlike action” must be interpreted in their ordinary meaning. Merck insisted that the acts contemplated by the exclusion clause would involve acts of the armed forces and argued that all of the case law on the exclusion of war supported this interpretation. In reviewing the ordinary meaning of the war exclusion clause combined with the relevant case law, the Court “finds without hesitation that the exclusion does not apply.”

The judge noted that both parties to the insurance policy were certainly aware of the existence of cyberattacks, but ACE did not change the wording of the exemption to indicate that the exclusion would include such attacks. With this, the court concluded that Merck’s expectation that the exclusion applied only to traditional forms of warfare was reasonable.

Scott Godes of Barnes & Thornburg LLP has a long history of representing policyholders in complex hedging matters, including those related to cyber losses. He told the MoginRubin Blog that the court rejected what it called “insurance companies’ efforts to go too far” in applying the war exclusion to a cyberattack. “This decision is good news for policyholders faced with arguments from adjusters or insurer-side cover lawyers that ‘war exclusions’ broadly apply to other cyber events.”

A similar case is pending in the Illinois Circuit Court for Cook County, where Mondelez International is seeking summary judgment against Zurich Insurance Group Ltd. for covering the losses suffered during his attack on NotPetya. The global snack maker, with brands like Oreo cookies, Ritz crackers and Philadelphia cream cheese, saw 1,700 servers and 24,000 laptops wiped out by the attack. Mondelez is asking its carrier for $10 million.

It will be interesting to see how insurance companies and their policyholders negotiate the terms of comprehensive policies and their exclusions in the future.

Comments are closed.