The court rejected the insurers argument that a cyber attack initiated by the Russia Federation precluded coverage under the policies' hostile/warlike action exclusion. Merck & Co. v. Ace Am. Ins. Co., 2021 N.J. Super. LEXIS 43 (N.J. Super. Ct. Law Div. May 1, 2023).
Merck held all-risk policies issued by several insurers. Merck sought coverage after a June 2017 malware/cyber attack known as NotPetya. A Ukrainian company developed an accounting software called M.D. Doc used by Merck and other companies in Ukraine. The NotPetya malware was delivered into the accounting software. The infected system was in an inoperable state. Ultimately, over 40,000 machines in Merck's network were infected.
When a claim was submitted to its insurers, reservation of rights letters were issued raising the hostile/warlike action exclusion. The policies excluded "loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack."
The insurers denied coverage based upon the exclusion. Merck filed suit. Motions for summary judgment were filed. The trial court granted partial summary judgment to Merck finding the hostile/warlike action exclusion did not apply.
On appeal, the insurers argued that although the word "warlike" might not be applicable, the word "hostile" should be read in the broadest possible sense, as meaning" adverse, "antagonistic," or "unfriendly." The court disagreed. The plain language of the exclusion did not support the insurers' interpretation. The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace required the involvement of military action. The plain language of the exclusion did not include a cyber attack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a government or sovereign power.