Russian cyber attack not “warlike” – clarifying the scope of the war exclusion

Merck & Co v Ace American Insurance Co No: UNN-L-2682-18

It is not often that courts have occasion to look at the construction of the ‘war risks’ exclusion.  In a novel argument, the insurer relied on the war risks exclusion to deny cover to an insured for losses arising from a cyber attack. The Superior Court of New Jersey held that it did not apply.  In doing so, it provided useful clarification of the meaning of the exclusion.

Background

On 27 June 2017, computer systems operated by Merck & Co (Merck) were infected by the NotPetya malware, a global cyber attack which severely affected computers worldwide.  In Merck’s case the attack caused damage to 40,000 of Merck’s computers and a total loss of more than $1.4 billion.

Merck sought coverage under an “all risks” property insurance policy with Ace American Insurance (Ace), which provided coverage for loss or damage resulting from destruction or corruption of computer data and software.

Ace denied the claims, saying that the cyber attack was an instrument of Russia as part of its ongoing hostilities against Ukraine.  It therefore argued that this came within the war exclusion clause which excluded “Loss or damage caused by hostile or warlike action in peace or war…by any government or sovereign power…”.  

In contrast, Merck argued that the facts did not show conclusively that the cyber attack was official Russian state action and even if it were, that it was not “hostile or warlike action in time of peace or war”.

Judgment

The Court found “unhesitatingly” that the exclusion did not apply.  Its ruling focused on whether the cyber-attack was “hostile or warlike”.  The Court agreed that the ordinary and usual definition of “warlike” was “actual hostilities between the armed forces of two or more nations or states de facto or de jure” which had to have proximately caused the loss.  It found that “no court has applied a war (or hostile acts) exclusion to anything remotely close to [the cyber attack]”.

Further, the Court placed reliance on the lack of clear words applying the exclusion to cyber-attacks. Despite being aware that cyber-attacks “…from private sources and sometimes nation-states have become more common…insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks”.

Therefore, in the absence of explicit wording in the exclusion, it found that Merck “had every right to anticipate that the exclusion applied only to traditional forms of warfare”.

Comment (Frances Jones)

This case illustrates the risk that insurers face if policy terms are not sufficiently defined.  In the absence of a prescribed definition, the courts will adopt an interpretation that is consistent with the perceived ordinary, everyday meaning.  In this case, ‘warlike’ connoted traditional forms of war, not the new battleground of cyber warfare. 

As the Superior Court’s decision in Merck illustrates, courts expect insurers to clearly express their intentions and it is unsafe for insurers to rely on traditional words or phrases to apply to modern conditions.  The safest course is to include clear words in the policy which expand the definition to cover the risk intended to be excluded. 

 

Frances Jones is an Associate at Fee Langstone