The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates coverage for losses caused by “hostile or warlike action” from a nation-state or its agencies, or by military forces. Insurers have recently invoked this exclusion in an attempt to avoid providing coverage for losses arising from Russia’s 2017 “NotPetya” cyberattack against Ukraine, which spread beyond Ukraine’s borders and caused widespread damage to computer systems, including hardware, at a number of companies around the world.

A New Jersey court recently rejected an insurer’s reliance on a “war” exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack. See Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case number UNN L 002682-18, in the Union County Superior Court of New Jersey.

Pharmaceutical giant Merck & Co. alleged that the NotPetya cyberattack caused it over $1.4 billion in losses by affecting over 40,000 of Merck’s computers worldwide and impacting its production. A conglomerate of insurers and re-insurers, which underwrote Merck’s $1.75 billion property policies, denied coverage for the losses, citing the war exclusion. The insurers argued that the war exclusion applied, alleging that the cyberattack was carried out by Russian agents intending to cripple Ukraine’s financial sector and then spread worldwide. They argued it was carried out while Russia and Ukraine were engaged in war, and as such, it was an act of war.

Merck argued that the cyberattack was a form of ransomware, which was not excluded (and was therefore covered) by the policy. Although the US and UK accused Russia of being involved in the attack, the Russian government has called the accusation groundless.

The court agreed with Merck that the term “hostile or warlike action” means a traditional war between two or more nations involving “hostilities between armed forces.” The court also noted that “[n]o court has applied a war (or hostile acts) exclusion to anything close to” a malware attack. Ruling for Merck on a motion for partial summary judgment, the court concluded that the insurers did nothing to change the language of the exemption to reasonably put the insured on notice that they intended to exclude cyberattacks.

While Merck might be appealed, it begs the question of how courts will interpret war exclusions found in cyber insurance policies, which are expressly intended to cover losses resulting from cyberattacks. There is virtually no case law on this topic and insurers have been reluctant to deny coverage under cyber policies based on the war exclusion for fear of an adverse market reaction. Indeed, cyber insurers have routinely assured brokers and insureds that they intend to narrowly construe the war exclusion, as they are required to do. However, Russia’s war against Ukraine may bring the issue to the fore if it leads to another event like NotPetya.

The London insurance market has drafted four new sample exclusions to address cyberwarfare. We will be addressing those developments in a forthcoming blog post soon.