Merck’s Cyber Insurance Coverage

11136585253?profile=RESIZE_400xThe Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack.  The decision is appropriately heralded as a huge win for policyholders and affirms New Jersey’s longstanding history of protecting policyholders’ reasonable expectations.[1]  

Insurance policies typically contain some form of a war exclusion, which generally bars coverage only for damages caused by “war,” “warlike,” or “hostile” actions.  However, insurers may try to invoke the exclusion if there is any potential link between the loss and events relating to Ukraine or the conflict.  Thus, how courts interpret the exclusion will be critical to the ability of policyholders to recover insurance proceeds.  Courts have traditionally interpreted war exclusions to apply to attacks that ordinary people would consider an act of war between nation-states or state actors.  For instance, in deciding whether the war exclusion applies, courts have considered factors such as (i) whether the attackers wore uniforms, (ii) whether they used physical weapons, (iii) whether there was a governmental declaration of war and (iv) whether medals for heroic acts were awarded.  Recent decisions have likewise narrowed the scope of the war exclusion to traditional forms of warfare between sovereign states.[2]

In 2017, Merck, like many other companies, was the victim of a NotPetya malware attack.  The malware, delivered to Merck’s computers through accounting software developed by a Ukrainian company, allegedly spread to 40,000 Merck computers, caused more than $1.4 billion in losses and hurt Merck’s revenues.  Merck sought coverage under its $1.75 billion property insurance program, but Merck’s insurers denied coverage, citing a “hostile/warlike action” exclusion, which precludes coverage for:

  • Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
  • by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
  • or by military, naval, or air forces;
  • or by an agent of such government, power, authority, or forces.

The insurers argued that an instrument of the Russian government against Ukraine initiated the malware hack. At the same time, Merck said the attack was not an act of war from a nation-state but a mere form of malware covered by the policy.  Merck ultimately filed suit against its insurers, alleging that the carriers breached the policies by refusing to cover Merck’s losses from the NotPetya cyberattack.

The trial court determined in December 2021 that the exclusion precludes only a physical act of warfare instead of a malware hack.  The court further held that a “hostile or warlike action” means traditional war involving “hostilities between armed forces of two or more nations or states.”  Additionally, the trial court held that the insurers could “change the language of the exemption to reasonably put [Merck] on notice that it intended to exclude cyber-attacks” but did not.  The insurers appealed that decision.

On appeal, the New Jersey Appellate Division affirmed the trial court decision. Specifically, the court stated: “In considering the plain language of the exclusion, and the context and history of its application, we conclude the Insurers did not demonstrate the exclusion applied under the circumstances of this case.” The court explained that “the plain language of the exclusion did not include a cyber-attack on a non-military company that provided accounting software for commercial purposes to non-military customers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’”  The court further explained that, after analyzing other war exclusion cases throughout history, “[c]ontrary to the Insurers’ contentions, these cases demonstrate a long and common understanding that terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions connected to war or, at least, to a military action or objective.”

In light of the decision, policyholders should continue to review coverage for cyber risks under both their cyber/technology insurance policies and traditional policies.  And, because of the coverage litigation arising out of the NotPetya attacks, many insurers have introduced broader war exclusions, or state actor exclusions, even in cyber policies. Nonetheless, robust coverage is still available, and policyholders should work with their brokers and insurance coverage counsel to ensure they purchase the broadest coverage possible at policy inception or renewal.


Red Sky Alliance offers protection through Cysurance.[3]  If you need assistance, please get in touch with us.  

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings





E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!