Insurance Law

'Warlike action' exclusion didn't protect insurers from Merck's cyberattack claim, appeals court says

  • Print


Image from Shutterstock.

A New Jersey appeals court ruled last week that an exclusion for “hostile/warlike action” in insurance policies covering "all risks" didn’t bar a pharmaceutical company’s claim for damages in a cyberattack.

The New Jersey Superior Court’s Appellate Division ruled for Merck & Co. Inc. on May 1.

The Legal Profession Blog has highlights from the opinion, while and Law360 have coverage.

Merck’s computer and network systems were infected with NotPetya malware in June 2017 through accounting software made by a Ukrainian company. Merck said the malware caused more than $1.4 billion in losses.

The insurance defendants had contended that the exclusion for “hostile/warlike action” applies when a government or a sovereign power takes action that reflects ill will or an intent to harm. In this case, the NotPetya virus was linked to the Russian Federation, the insurers said.

But the appeals court said “military action” is required before the exclusion kicks in.

“We agree with the trial court,” the appeals court said. “The plain language of the exclusion did not include a cyberattack on a nonmilitary company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’”

Merck was insured under 26 all-risks policies at the time of the cyberattack. Eight insurers were involved in the appeal after several others reached settlements, according to

Those insurers were Aspen Insurance, the HDI Global Insurance Co., the National Union Fire Insurance Co. of Pittsburgh, Syndicate No. 1183 at Lloyd’s London, the Zurich American Insurance Co., Mapfre Global Risks, Compañia Internacional de Seguros y Reaseguros and the Vienna Insurance Group.

Give us feedback, share a story tip or update, or report an error.