On December 6, 2021, the Superior Court of New Jersey granted partial summary judgment in the highprofile ransomware case in favor of Merck and International Indemnity, declaring that the War or Hostile Acts exclusion contended by ACE American Insurance was inapplicable to the dispute (Link to the verdict: ).

Merck suffered $1.4 billion in business interruption losses from the Notpetya cyber attack of 2017, which were claimed against “all risks” policies providing coverage for losses resulting from destruction or corruption of computer data and software.

The parties disputed whether the Notpetya malware which affected Merck’s computers in 2017 was an instrument of the Russian government, so that the War or Hostile Acts exclusion would apply to the loss (see our summary of the argument of the case here).

The Court noted that Merck is a sophisticated and knowledgeable party, but there was no indication that the exclusion had been negotiated since it was in standard language. Therefore, the Court applied, under New Jersey law, the doctrine of construction of insurance contracts that gives prevalence to the reasonable expectations of the insured, even in exceptional circumstances when the literal meaning of the policy term is plain.

The Court also noted that under New Jersey law, ‘all risks’ policies extended coverage to risks not usually contemplated by the parties unless a specific provision excluded the loss from coverage.

Applying these principles, the Court held that:

(i) “…no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts” in this case, and

(ii) despite being “aware that cyber-attacks […] from private sources and sometimes nation-states have become more common […], Insures did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks”.

The Court concluded that “Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare” and not to cyber attacks such as Notpetya.

The New Jersey Superior Court’s decision is heavily reliant on the doctrine of “reasonable expectations of the insured” which construes insurance policies in favor of policyholders. It is doubtful whether the result would have been the same if the policies had been subject to English law.

Should the ruling in favour of the policyholder contained in this judgment be repeated in the similar NotPetya attack case of Mondelez v. Zurich, the pressure for insurance and reinsurance companies to adopt more clear cyber risks wordings will continue to increase in future.

References