HNRK Coverage Corner

On May 1, 2023, the New Jersey Superior Court, Appellate Division, issued a decision in a closely-watched cyber insurance case, Merck & Co, Inc. v. ACE Am. Ins. Co., Appellate Division Docket No. A-1889-21, A-1882-21. (I spoke to Law360 about the case in January.)  Affirming the trial court’s ruling in favor of the policyholder, the appellate court held that an exclusion in an all-risk insurance property insurance policy for damages arising from “hostile or warlike action” by a “government  or sovereign power” did not apply to a cyberattack on a private company, notwithstanding allegations that the Russian government was behind the attack.

The Court explained:   

The Insurers assert summary judgment should have been granted in their favor because the exclusion “is clear and unambiguous, and it plainly applies to the NotPetya attack.”  Although they concede the word “warlike” might not be applicable, they assert the word “hostile” should be read in the broadest possible sense, as meaning “adverse,” “showing ill will or a desire to harm,” “antagonistic,” or “unfriendly.”  According to the Insurers, any action that “reflects ill will or a desire to harm by the actor” falls within the hostile/warlike action exclusion, as long as the actor was a government or sovereign power, in this case the Russian Federation.

However, the plain language of the exclusion does not support the Insurers’ interpretation.  The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.  The exclusion does not state the policy precluded coverage for damages arising out of government action motivated by ill will. . . .

Although there is no precedent considering the hostile/warlike exclusion, our Supreme Court has consistently required the need for plain language pertinent to the situation to permit the enforcement of an exclusion. . . .

Coverage could only be excluded here if we stretched the meaning of “hostile” to its outer limit in an attempt to apply it to a cyberattack on a non-combatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict with our basic construction principles requiring a court to narrowly construe an insurance policy exclusion.  The specific, plain, clear, and prominent meaning of, and the clear import and intent of, a word or phrase in an exclusion does not equate to its broadest possible interpretation, but rather its narrowest.

We agree with the trial court that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a “government or sovereign power.”

Given the proliferation of cybercrime, and the involvement (or alleged involvement) of rouge regimes in cyberattacks, we can expect further litigation on the interpretation of the war exclusion, as well as efforts by insurers to narrow the scope of coverage going forward.  To this end, Lloyd’s recently implemented a new mandatory war exclusion for its cyber policies that is sure to result in future coverage litigation.