Good Sign For Cyber-Insureds

Insurance policies routinely include an exclusion for loss or damage caused by “hostile or warlike action” by governments, their militaries or agents. When the NotPetya malware targeted Merck in 2017, it cost the company more than $1.4 billion. Merck tried to collect through its property insurance, but the claim was denied on the grounds that NotPetya was released by the Russian government as an element of its conflict with Ukraine and therefore excluded. There is little disagreement that Russia was behind the attack. Nevertheless, last December a New Jersey Superior Court Judge ruled that Merck’s insurers couldn’t apply the exception for warlike acts to NotPetya. He was sympathetic to the argument that Merck understood the exclusion to apply to situations that “involved the use of armed forces”—a bad sign for insurers hoping it can apply to cyberattacks in general.