Merck has won its $1.4bn claim against insurers who denied payment for damages caused by the 2017 NotPetya cyberattack. The insurers claimed that Merck’s property insurance was subject to a war exclusion clause, which “plainly applies to the NotPetya attack”.
However, Merck argued that the clause was ambiguous, and it had relied on the ‘all risks’ element of its property insurance since it did not have separate cyber insurance.
Judges Currier, Mayer and Enright have now disagreed, stating that the insurers have not demonstrated that the exclusion clause could be fairly applied to the NotPetya cyberattack, hence they declined the request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.
The ruling could be considered a win for policyholders, who pay substantial premiums to achieve certainty with respect to their insurance coverage in the face of often-uncertain cyberattacks.
The Appellate Division’s decision is significant in that it applies fundamental principles of insurance law, stating that exclusionary provisions must be construed narrowly against the insurer and any ambiguities resolved in the insured’s favor and consistent with the insured’s reasonable expectations.
On that score, the court determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers. While the decision in the Merck case may not be the end of the matter, it is likely just the beginning of future arguments about what can or cannot be construed as a cyber act of war.
Despite cyber being considered a modern theater of war, discussion will likely continue over the validity of applying historical definitions to the new world. Regardless, the court’s decision represents a meaningful affirmation that plain language and policyholder-friendly tenets of insurance law must ultimately prevail.
The $1.4bn payout has significant ramifications for the insurance industry and is bound to impact the cyber and property insurance sectors.
