Listen to this post

Update: On May 1, 2023, the New Jersey appeals court affirmed the trial court’s decision that a war exclusion did not bar $1.4 billion in coverage for Merck’s losses stemming from the NotPetya attack.

On June 27, 2017, the skies over New Jersey were clear and the ground steady. But Merck & Co., a New Jersey-based pharmaceutical company, was under attack. Malware ripped through its computers, damaging 40,000 of them and causing over $1.4 billion in losses.

Merck was not the sole target.[1] Dubbed “NotPetya,” the virus tore through the US economy,[2] and did an estimated $10 billion in damage. The US Department of Justice charged six Russian nationals, alleged officers of Russia’s Intelligence Directorate (the GRU), for their roles in the NotPetya attack, among others. The attackers’ goal, according to the DOJ, was:

to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.[3]

Merck had purchased $1.75 billion in property insurance to protect against this type of loss. Its “all risk” policies covered loss or damage resulting from destruction or corruption of computer data and software. Notwithstanding Merck’s efforts to buy protection for this kind of loss, its insurers denied coverage, pointing to the attack’s link to the war in Ukraine and citing the policies’ “war exclusion”:

A New Jersey trial court disagreed with Merck’s insurers, “unhesitatingly” finding that the exclusion did not apply. Merck & Co. v. ACE American Ins. Co., No. UNN-L-2682-18 (N.J. Super. Ct. Jan. 13, 2022). The court explained that the “ordinary meaning” of “war” is the use of armed forces in conflicts between nations. The exclusion included no language that would encompass a cyberattack despite knowing “that cyber attacks of various forms, sometimes from private sources and sometimes from nation states, have become more common.”[4] The use in the exclusion of “hostile” actions did not change that conclusion given the overall terms of the exclusion.

This result tracks courts’ traditional interpretation of the war exclusion: that the exclusion should only apply to acts of war between nation states or state actors. In making this determination, courts consider certain factors, like:

(i) whether the attackers wore uniforms, (ii) whether they used physical weapons, (iii) whether there was a governmental declaration of war, and (iv) whether medals for heroic acts were awarded. Recent decisions have likewise narrowed the scope of the war exclusion to traditional forms of warfare between sovereign states.[5]

Merck’s insurers appealed. Last month, a three-judge panel of New Jersey’s Appellate Division heard oral argument on the exclusion. The parties’ arguments harkened back to when the pollution exclusion was the issue de rigueur: Does the war exclusion apply to “traditional,” boots-on-the-ground conflict, as dictionary definitions suggest? Or should “war” be read more broadly to include cyberwar?[6] The New Jersey Appellate Division is tasked with answering these questions of first impression.

Cybersecurity risks keep CEOs up at night.[7] Cyber insurance is meant to alleviate some of those worries. Yet insurer arguments that stretch the bounds of the war exclusion beyond the policy language would shrink or completely curtail valuable coverage if a cyberattack has any purported link to a war or hostile act. Policyholders should be skeptical of such a blanket application of the exclusion. These disputes are driven by the policy language and the facts. Experienced coverage counsel can help push back against an insurers’ broad-brush application of this or any other exclusion.


[1] Check out this post for a discussion of Illinois food and beverage company Mondelez International Inc.’s expenses stemming from its exposure in the same attack.

[2] NotPetya is blamed for $10 billion in damages globally. For more, see https://www.huntoninsurancerecoveryblog.com/2019/05/articles/cyber/will-insurers-declare-war-the-war-exclusion-the-ransomware-attack-on-baltimore-and-the-nsa-cyber-tool/.

[3] See Press Release, Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace, U.S. DEP’T JUSTICE (Oct. 19, 2020), https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.

[4] For suggestions on how cyber policyholders can narrow this and other exclusions in policy negotiations, see L. Sotto, PRIVACY & CYBERSECURITY LAW DESKBOOK §14.04 (2023 Supp. 2020).

[5] L. Masters & Y. Abreu, The War Exclusion Will Be a Leading Issue in the Months and Years Ahead (Mar. 16, 2022), https://www.huntoninsurancerecoveryblog.com/2022/03/articles/first-party-property/the-war-exclusion-will-be-a-leading-issue-in-the-months-and-years-ahead/. For another example of a court’s consideration of the war exclusion, check out these posts.

[6] It is the authors’ opinion that the “cyber-” modifier cannot be written into the exclusion post hoc.

[7] See comments from Hunton insurance recovery partner Andrea DeField.