The New Jersey Superior Court in Elizabeth ruled that a certain policy exclusion did not let insurers covering pharmaceutical giant Merck off the hook for claims related to a 2017 cyberattack.
Source: Getty Images North America

A recent New Jersey court finding failed to provide answers as to how cyberattacks should be attributed, highlighting a lack of clarity surrounding war exclusions in cyber insurance policies.

Judge Thomas Walsh of the Superior Court of New Jersey in December 2021 found that insurers of pharmaceutical company Merck & Co. Inc. could not use the "hostile/warlike action" exclusion in property policies to avoid covering the $1.4 billion in damage Merck said it suffered in the 2017 NotPetya malware attack.

"I don't think this has as much breadth as people probably hoped," Tom Draper, technology and cyber practice leader at Arthur J. Gallagher & Co.'s London operation, said in an interview. "People were probably looking to this as being more of a wider test case, and I think the court played it with a straight bat."

Source of confusion

NotPetya was the first catastrophic cyberattack to result in claims costing insurers more than $1 billion, according to Property Claim Services. In fact, the bill ended up exceeding $3 billion. The attack, widely attributed to Russia's hostilities against Ukraine, disrupted the operations of thousands of companies worldwide. Several companies, including Merck, made claims against property policies, but some insurers tried to deny these claims using war exclusions — a standard feature of most insurance policies.

Specialist cyber policies were designed to pay out for NotPetya and did. Property-related court cases, in particular Mondelez International Inc.'s well-publicized 2018 suit against Zurich Insurance Group AG, prompted cyber insurers to make sure their war exclusions are clear about what is covered and protect them against systemic risk.

Industry players hoped the Merck case would provide guidance on attributing cyberattacks to a nation-state, considered key to writing effective war exclusions in cyber-specific policies. But the court sidestepped attribution and ruled that the exclusion only applied to "traditional warfare."

The Lloyd's Market Association, a trade body representing Lloyd's of London underwriters, in November 2021 published four model cyberwar exclusions. But there is a risk that the new model exclusions could confuse matters further because they rely on attribution to exclude cyber events perpetrated by nation-state actors, according to James Burns, head of cyber at CFC Underwriting. Burns said drafting such exclusions is very difficult.

"We need to be really careful as an industry because I think we are in danger of confusing clients whilst also not achieving the protections we desire," Burns said in an interview.

Seeking additional clarity on the matter will be a focus for the insurance industry in 2022, said Gallagher's Draper.

'Wrong' decision

The latest court ruling may not be the last word on war exclusions. In a Jan. 21 article, Joshua Mooney and Judy Selby, partners at law firm Kennedys, said the Merck decision was "wrong" because, among other things, it inserted the word "traditional" into the contested policy's exclusion and relied heavily on case law from 1970 and earlier to show that the exclusion had not previously been used for cyberattacks.

The decision also stated that insurers had failed to update the exclusion's language despite an increase in cyberattacks, which sends the message that war exclusions omitting the word "cyber" could be found not to apply to cyberattacks, the Kennedys lawyers wrote.

"It is kind of like saying a virus exclusion written in 2018 wouldn't apply to COVID because nobody knew about COVID in 2018," Selby said in an interview. Selby expects the decision to be appealed and does not anticipate other courts to author similar opinions in these kinds of cases.

The reach of the Merck case may be limited given the fact that it was very specific to New Jersey law. It would not hold much in the way of precedential value in a place like the U.K., said Richard Breavington, leader of the cyber and tech insurance team at law firm RPC.

Breaking the silence

However, the decision could spur the industry's efforts to eradicate inadvertent cyber cover from non-cyber policies, known as silent cyber.

"If I was an insurer who wasn't putting in cyber clarifications, this is the type of thing that would cause a bit of a wake-up call," Draper said.

While insurers might hope that courts beyond New Jersey interpret the war exclusion more in their favor, "rather than hope for the best, you want to plan for the worst because the worst is still coming at us," said Michael Bahar, litigation partner at Eversheds Sutherland.