NotPetya & US Law

10961071257?profile=RESIZE_400xIf you have ever sat and read an entire insurance policy, you are fully aware of the use of specific words and definitions and how the words apply to the coverage.  The definition of “war” and “cyber-war” are at issue.  Property policies' war exclusions were designed to apply to any type of nation-state attack, including cyber events, insurers told a New Jersey appellate panel on 8 February in a battle over whether Merck has coverage for $1.4 billion in losses stemming from the 2017 NotPetya cyberattack.

An attorney for Merck told a New Jersey appeals court on 8 February that the war exclusion in the company's policy should only apply to traditional forms of warfare based on its plain language.  He noted that the exclusion does not mention "cyberwar."

During oral arguments in a case of first impression over whether insurers, including Chubb and AIG units, may rely on a traditional wartime exclusion to deny Merck & Co.'s bid for cyberattack coverage, a three-judge panel for New Jersey's Appellate Division mostly sat back and let attorneys do the talking.  Judge Heidi W. Currier was the only judge to speak during the roughly hourlong session, and she mainly limited her questions to clarifying the sides' positions and understanding the history behind the exclusion in question.  The appeal turns on whether insurers can use a policy exclusion that applies to any "hostile or warlike action" to avoid covering damages Merck sustained in NotPetya, a 2017 cyberattack believed by most Western nations to have been carried out by the Russian government.[1]

An attorney at Steptoe & Johnson LLP who represents AIG, argued that the exclusion was tailor-made to apply to any act of war launched by a nation-state, including a cyberattack.  NotPetya was a piece of malware launched by Russia to cripple the Ukrainian government and its core businesses, he said, classifying Merck's losses from the attack as "collateral damage."  "This is precisely the kind of situation that 'hostile and warlike actions in a time of peace or war' was designed to address," the attorney stated, referring to language from the exclusion.

Judge Currier asked the attorney representing AIG whether the exclusion has ever "been previously used to exclude coverage for cyberattacks."  "Not to our knowledge," he responded.  "But also not to our knowledge has there been a situation such as NotPetya," which was "in the middle of the Russia-Ukraine conflict.  Cyberattacks are clearly weapons of war nowadays," he followed up with.  "Cyber is a battlefield."

An attorney at Covington & Burling LLP who represents Merck, argued that the war exclusion should only apply to traditional forms of warfare based on its plain language.  There is a key difference between the terms "war" and "cyberwar," he said, noting that the exclusion in Merck's policy only mentions the former.  "The dictionary definition today of war still talks about the deployment of armed force against an enemy," he said. "The same dictionary defines cyberwar as a use of computers against an organization."

In August 2018, Merck dragged 15 insurers, including Chubb, AIG, Zurich and Liberty Mutual, and eight reinsurers, including Hannover Re, Munich Re and Generali, to court in Union County, New Jersey.  The pharmaceutical company alleged that the carriers breached their "all-risk" property policies by refusing to cover its losses from NotPetya, a piece of malware that spread in June 2017 after being introduced via an update to accounting software.  Many of the carriers have since been dismissed from the case.  According to the suit, the malware infection spread to 40,000 Merck computers, caused more than $1.4 billion in losses and hurt Merck's revenues.

In a ruling made public in January 2022, New Jersey Superior Court Judge Thomas J. Walsh granted Merck's motion for partial summary judgment, holding that the war exclusion did not explicitly include the word "cyber" and therefore only barred coverage for acts of traditional, physical warfare.  Judge Walsh's ruling sent shockwaves throughout the insurance industry, with carrier-side attorneys and insurer groups warning of the potential marketplace ramifications of the court's holding.  A reversal would also result in a spotlight on the increasingly controversial issue of how to attribute a cyberattack for insurance purposes, attorneys say.

On 8 February, an attorney at Crowell & Moring LLP, spoke on behalf of the American Property Casualty Insurance Association, which filed an amicus brief in the case.  She echoed the concerns of the broader insurance industry, arguing that it's unreasonable for a court to expect carriers to list every action they do not intend to cover in a "categorical exclusion" like the one at issue in the Merck case.  "Refusing to enforce the plain terms of this exclusion would put into doubt the application of other categorical exclusions when we face a new or innovative fact scenario," she said, referring to the newness of cyberattacks.  "That uncertainty would threaten the insurance market." 

However, Covington & Burling argued that even if the exclusion could theoretically apply to acts of cyberwar in some circumstances, the NotPetya attack does not meet that bar.  "Even if you could have a cyberattack amount to an act of war, putting malware in an accounting software and interrupting a business's operations is not that," it said.

Potentially tipping her hand at which way she's leaning, Judge Currier seemed to lend some approval to Covington & Burling’s  contention that NotPetya should not trigger the exclusion since over 80% of Merck's losses from the attack happened in the US, not in Ukraine.  "How was it then a warlike action if so much of the damage occurred in the US?" she said.

The case is Merck & Co Inc. et al. v. Ace American Insurance Co. et al., case number A-001879-21-T02, in the Superior Court of New Jersey, Appellate Division.

Read more at:

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!