In May 2023 a New Jersey US Appellate Division refused to exclude insurers from coverage under an all-risks property insurance policy because the cyberattack which infected and damaged thousands of the claimant’s computers in its global network did not amount to “hostile/warlike action”.

Merke & Co, a multinational pharmaceutical company was the victim of the malware known as NotPetya which infected its computer and network systems across the globe through access gained to computer systems of a Ukrainian company that had developed its accounting software. The indemnity claimed under the policy was nearly USD 700 million. The policy covered “all risks of physical loss or damage to property not otherwise excluded … including any destruction, distortion or corruption of any computer data, coding, programme or software”.  Non-physical damage was covered for loss and expense “resulting from the failure of the Insured’s Electronic Data Processing Equipment or Media to operate, provided such failure is the direct result of a malicious act directed at the Named Insured”. The policy excluded “loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power … or by an agent of such government, power, authority, or forces”.

The court held that the plain language of the exclusion did not support the insurers’ interpretation. The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The exclusion does not state that the policy precluded coverage for damages arising out of a government action motivated by ill will. Coverage could only be excluded in the circumstances if the court stretched the meaning of “hostile” to its outer limit. Insurance policy exclusions must be narrowly construed. The specific, plain, clear and prominent meaning, and the clear import and intent, of a word or phrase in an exclusion does not allow the broadest possible interpretation, but rather its narrowest interpretation. The plain language of the exclusion did not include a cyberattack on a non-military company that provided software for commercial purposes to non-military consumers regardless of whether the attack was instigated by a private actor or a “government or sovereign power”.

Expert witnesses stated that “war exclusions” had been introduced into the Lloyd’s market in the 18th century and the phrase “hostile or warlike action” or similar variants have appeared in war exclusions since the 1950’s. Yet there was no precedent interpreting the language in the manner suggested. All the cases quoted by the court demonstrated a long and common understanding that the term “hostile or warlike action” by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, said the court, in addition to the plain language interpretation of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts compelled the court to the conclusion that the exclusion was inapplicable to bar coverage for Merke’s losses.

Merke & Co., Inc v Ace American Insurance Company and other insurers: Superior Court of New Jersey Appellate Division: Docket No A-1879/21 & A-1882/21