Facts of the case
The facts in the 1 May 2023 ruling by the Appellate Division of the Superior Court of New Jersey illustrate the unprecedented speed and power with which a cyberattack can strike a company, even if the attack was not aimed directly at that company. The NotPetya virus initially targeted the computer systems of a Ukrainian company that developed accounting software, but subsequently spread around the world.
Within 90 seconds after the initial NotPetya virus infection, about 10,000 computers on Merck's global network were infected; after five minutes, the virus had spread to 20,000 computers. Eventually, 40,000 computers in Merck's network were affected, interrupting Merck's entire business operations. Merck's total damage allegedly amounted to around USD1.4 billion.
Coverage and exclusion of damage in insurance policies
Specific cyber insurance policies are available for damage resulting from cyberattacks and network incidents. Traditional insurance policies, such as property policies, sometimes also (partly) cover cyber related damage. Merck had an all-risk property policy with over 20 insurers, which also (explicitly) provided coverage for damage to computers, data and software:
"This policy insures against all risks of physical loss or damage to property, not otherwise excluded in this policy [...]. Physical loss of damage shall include any destruction, distortion or corruption of any computer data, coding, program of software except as excluded specifically [...]."
Both stand-alone cyber insurance policies and traditional property policies usually contain a (standard) exclusion for damage resulting from e.g. war. This was also the case in Merck's policies:
"This policy does not insure against: Loss or damage caused by hostile or warlike action in time of peace or war [...],
(a) by any government or sovereign power [...] or by any authority maintaining or using military, naval, or air forces;
(b) or by military, naval, or air forces;
(c) or by an agent of such government, power, authority, or forces [...]."
The exclusion of war damage by insurers is common. In some countries, including the Netherlands, insuring such damage is even prohibited (or in any event allowed only under specific circumstances; see Article 3:38 of the Wet op het financieel toezicht (Dutch Financial Supervision Act)). The rationale for excluding war risks is that insurance coverage for war damage entails unacceptable financial risks for insurers, because in a war situation the damage may be so great that the insurer may run into financial difficulties. Moreover, the cause of the damage is extraordinary, making it difficult to predict the risk. In principle, war damage therefore cannot be insured in a responsible manner.
Cyberattack an act of war/hostile action?
Merck's insurers denied coverage by relying on this war exclusion, because the Russian government allegedly used the NotPetya attack as a tool in the conflict with Ukraine. According to the insurers, this constituted a hostile or warlike action. Merck disputed that, arguing that it was simply ransomware, the damage caused by which was covered under the policy.
In principle, it is up to the policyholder to prove that a covered event occurred. If that is the case but the insurer refuses to pay out on the grounds of an exclusion, the burden of proof is on the insurer. The insurers therefore had to demonstrate that the NotPetya attack was a hostile or warlike action, by (in short) a state actor and military means.
In my book on cyber insurance (N.M. Brouwer, De cyberverzekering vanuit civielrechtelijk perspectief, Deventer: Wolters Kluwer 2021) as well as in the Dutch scientific journal AV&S (N.M. Brouwer, ‘Hoog tijd voor modernisering: molest en terrorisme in de context van de cyberverzekering’, AV&S 2020/33, pp. 200-210), I previously described in detail that and why it is unclear to what extent cyberattacks can be classified as 'acts of war' (or in Dutch policies: 'molest') and are therefore excluded from insurance coverage. One of the key problems here is that the concepts used in insurance policies are based on traditional forms of war and conflict, the definitions and interpretations of which are reasonably clear. It is unclear, however, how the digital domain – and therefore a serious cyberattack – relates to traditional forms of war. When, for instance, is a digital means a weapon, or even a military instrument of power? In the case of digital assets, the exclusivity of weapons and instruments of power is blurred, making it difficult to give a clear interpretation to them in the context of war and conflict. Moreover, cyberattacks give rise to problems regarding perpetrators: it is difficult, for instance, to attribute the attack to a state actor, partly because the perpetrators often remain anonymous. The problem of attribution is still unresolved and, unfortunately, this Merck ruling does not offer a solution to that problem either.
In addition to the issue of attribution, the factors of target and intent are also bottlenecks with regard to the perpetrator. It is characteristic of cyberattacks that their impact can extend much further than the intended victim alone: the affected parties are often far removed from the perpetrator’s actual, original target. Cyberattacks differ in this regard from physical attacks. Unlike physical attacks, cyberattacks are not restricted to defined, and therefore more or less predictable, zones. That was very clearly the case with NotPetya: this attack impacted companies all over the world that had nothing to do with the initial target in Ukraine – not even coincidentally in terms of location. There is therefore no necessary connection and hardly any delimitation between the (initially) intended target and the insured companies that fell victim, other than, for example, the use of certain software.
In my book I wrote that in that situation, from the insured’s perspective, denial of coverage on the grounds of an act of war is likely to be contentious. It therefore does not come as a surprise that Merck did not accept the insurers' denial of coverage, in which it was vindicated by the courts in two instances.
The ruling in the Merck case
The court interpreted the war exclusion both at first instance and on appeal. Taking into account the plain language of the clause and the context and history of its application, the court did not find sufficient evidence of a hostile or warlike action in this case. According to the Superior Court, partly in view of the history of the war exclusion, a warlike or hostile action requires military action, which was not sufficiently apparent in the case of NotPetya: the attack was aimed at a non-military company that develops software for commercial purposes and for non-military consumers. Importantly, the Superior Court added that military action is insufficiently apparent for that reason alone, regardless of whether the attack was initiated by a private party or a government or sovereign power. As a result, the court appears to have attached more weight to the target and less to the perpetrator’s identity or intentions. This appears paradoxical: the emphasis on the military character that a warlike or hostile action must have implies the involvement of a state actor – as does the policy clause. The court appears to have brushed this aside to some extent.
It is also noteworthy, in my view, that the court gave a fairly strict interpretation to the history of the war exclusion and earlier case law on that subject. Given that cyberattacks are relatively new, they have obviously not been addressed in earlier case law. A strict interpretation of the concept ignores the fact that today's society is highly digitised and that this carries over into forms of warfare.
In light of its interpretation of the war exclusion, the Superior Court therefore also found in favour of Merck. The insurers will therefore have to compensate the damage. They do still have the option of appealing to the New Jersey Supreme Court, however. And that seems likely, given the fundamental nature of this question.
What does the Merck ruling teach us?
The insurers had asked the Superior Court to rule on what types of cyberattacks are covered by the war exclusion. That clarification has not been provided. What we do know is that the court attaches a lot of weight to the military character that an attack must have in order to qualify as a warlike or hostile action. The Merck ruling also gives insurers little to go by with regard to attribution. That is unfortunate because, as mentioned above, these are pressing questions. Serious efforts have since been made to provide more clarity and guidance on this point, for instance in the Lloyd's of London model clauses. But there are still many questions about those clauses too, for instance about the meaning of the term 'major detrimental impact to the functioning of the state' (see also this news item).
The Superior Court's judgment in the Merck case illustrates the importance for insurers of greater clarity regarding the interpretation and definition of war exclusion in the 21st century. In the Netherlands, a similar discussion on the ‘molest’ clause is also entirely conceivable. Clarity on this point is important for both insurers and the insured, so that both parties know where they stand in the event of major cyberattacks and insurers do not run irresponsible financial risks.