War (Exclusions) – what are they good for? The Merck Decision and its interpretation

Insurance policies typically exclude losses proximately caused by war or “hostile or warlike” action. The reasoning for this is due to Insurers’ inability accurately to assess the risk of such an event and the potentially catastrophic aggregative losses that war might trigger across a wide suite of policies at the same time.

The ambit and application of such exclusions, however, is far from straightforward. For example, as we put pen to paper, at least 100,000 Russian troops are positioned within reach of Ukraine’s borders. In recent weeks US President Joe Biden has stated that he is expecting some kind of military invasion of Ukraine by Russia. Any such invasion or attack by the Russian armed forces against Ukraine would clearly be a “hostile or warlike” action.

But what about a cyber-attack by a sovereign power or agent against another? Although no boots are on the ground and there are no human casualties, it clearly shares the same object to destabilise, often with catastrophic effect. Is such an act “hostile or warlike” within the meaning of a Policy exclusion?

This question recently came before the Superior Court of New Jersey in Merck & Co, Inc, et al. v. ACE American Insurance Company, et al. No. UNN-L-2682-18, in relation to the 2017 NotPetya cyber-attack. In Merck, the Superior Court of New Jersey “unhesitatingly” found on the facts that the exclusion did not apply. We consider the judgment below and speculate whether, on the same facts, an English court would likely come to a similar conclusion.

The facts

The 2017 NotPetya cyber-attack emerged in the Ukraine. At first, it was believed to be a form of ransomware, however, it was later discovered to be a type of malware which completely erased and destroyed the data it infected. It has been widely concluded that the developers of NotPetya were not financially motivated. Although the Russian Federation has never admitted responsibility for NotPetya, there has been unprecedented worldwide recognition that the Russian military was responsible for the attack as part of its ongoing animosity against the Ukraine.

NotPetya targeted Ukraine’s financial, energy and government institutions. However, it also spread further and caused extensive damage to other businesses including that of the multinational pharmaceutical company, Merck & Co, where it caused USD1.4bn of physical and business interruption losses. Merck claimed indemnity under its global all-risks property insurance policy (“the Policy”). The Policy covered Merck for losses resulting from destruction or corruption of computer data software. The Policy did not have a cyber exclusion.  However, Insurers denied coverage on the basis of a policy exclusion for “Loss or damage caused from hostile or warlike action in a time of peace or war” by a government, sovereign power or agent of such authority (“the War and Hostile Acts Exclusion”).

Merck argued that (i) the facts did not show conclusively that the NotPetya attack was an instrument of the Russian government and (ii) even if it was, the exclusion would not apply as the attack was not ‘hostile or warlike’.

Merck sued its Insurers in the US and sought Partial Summary Judgment from the Superior Court of New Jersey on the second issue (i.e. a declaration that the War and Hostile Acts Exclusion be deemed inapplicable to the dispute). On 6 December 2021, the New Jersey Judge, Thomas J.Walsh, “unhesitatingly” found in favour of Merck and granted Partial Summary Judgment on the issue.

In coming to his conclusions, the Judge stated:

• the New Jersey Courts have recognised the importance of construing contracts of insurance to reflect “the reasonable expectations of the insured” in the face of ambiguous language and phrasing;
• where there is uncertainty or ambiguity in the phraseology of a policy, the Insurer must show that the Insured’s interpretation of the exclusionary clause is entirely unreasonable; and
• cyber attacks of various forms have become more common. Despite this, Insurers had done nothing to change the language of the exclusion, reasonably to put Merck on notice that it intended to exclude cyber-attacks.

The judge stated that Merck’s “reasonable understanding” of “hostile or warlike action” related to the use of armed forces and only applied to “traditional forms of warfare”. The Judge held that the caselaw on war exclusions supported Merck’s interpretation and found the exclusion not applicable on the facts.

Commentary

It is important to stress that the policy under which Merck was seeking cover was its all-risks property policy, not a standalone cyber policy. The Policy was silent in relation to losses proximately caused by a cyber act. The all-risks nature of the Policy undoubtedly precluded any coverage argument in relation to whether the Policy covered such acts in principle, and it is likely that the English Courts would have formed a similar view in that regard had such an argument been raised. Even outside all-risk policies, in the absence of a cyber-exclusion, it is noteworthy that the English courts have routinely found coverage for cyber and privacy claims under a wide range of traditional non-cyber polices.

The only issue the Superior Court of New Jersey was asked to assess summarily was whether NotPetya was a ‘hostile or warlike’ act within the meaning of the exclusion.

As stated above, the trial Judge put great emphasis on Merck’s “reasonable understanding” of this term being one of “traditional forms of war”. We are of course very familiar with the doctrine of contra proferentem in English law (where an ambiguous term is construed narrowly against the interests of the party which created it). However, based on the decision in Merck, the doctrine of “reasonable expectation” goes well beyond contra proferentem.

What is particularly unlike anything with which we are familiar here, is just how far the Supreme Court of New Jersey goes to interpret the Policy language to fulfil the expectations of Merck. For example, there is nothing within the actual and express terms of the exclusion which suggests that the hostile or warlike action must be “traditional” forms of hostile or warlike action, for the exclusion to apply. The Judge arguably moved away from the plain language of the Policy in this respect. Furthermore, there appears to be little consideration of the meaning of the term “hostile” which is independent of the term “warlike”.

Under English law, the burden of proof is on insurers to show that a policy exclusion applies so that it may properly decline coverage. However, recent case law supports the view that, absent very genuine ambiguity, contra preferentem is unlikely to play a significant role in commercial insurance.

The modern approach is that the court will look instead at what a reasonable person would have understood the clause to mean having regard to all the policy terms, and in a manner which was consistent with the purpose of the insurance contract.

Under English law, there appears to be no technical meaning ascribed to the terms  “warlike” or “hostile”, although in the context of marine perils “hostile” has been held to mean a belligerent act. As such, “warlike” and “hostile” would appear to be very closely related. Such an interpretation is no doubt necessary, as a broad interpretation of “hostile act” may arguably leave little remaining coverage in many situations.

Whilst we consider an English court would construe such terms narrowly, we are however very doubtful that it would go so far as to say “hostile or warlike action” only applies to traditional forms of those types of action. For example, where the consequences of a cyber-attack are directly comparable to an armed-attack in terms of scale and effect, we consider that an English court may consider the exclusion would apply in such circumstances. On the facts of NotPetya, although it was undoubtedly economically devastating and disruptive, it arguably would not have met such a threshold. Although far from certain, had the Policy been governed by English law and jurisdiction, the court may arguably have come to the same conclusion as the Superior Court of New Jersey, although its basis and reasoning for doing so is likely to have been different.

What is clear is that the decision in Merck and the uncertainty in relation to how it would be interpreted here has caused shockwaves within the insurance industry both in relation to silent cyber and “war or hostile acts” exclusions. Many standalone cyber policies contain similar exclusions and the decision has ramifications as to the extent of cover under those policies as well. Given that a significant number of cyber-attacks are believed to be state-sponsored attacks, the need for clarity in respect of cover going forward is critical. In recent months, the Lloyd’s Market Association has responded and released four new model exclusions which effectively exclude both physical acts and state-backed cyber-attacks. It will be interesting to see the extent to which these clauses are adopted in cyber polices and where future coverage battles will be fought. Our view is that attribution and evidencing the source of the act might be a future battle ground. The clauses do make provision for this, but ultimately the nature of these attacks is that attribution is often far from clear.