Insurers for Merck & Co. must help cover losses from a $1.4 billion cyberattack that the U.S. blamed on Russia, a court said, rejecting the insurers’ argument that the attack was akin to an act of war normally excluded from coverage.
The NotPetya cyberattack didn’t involve military action and can’t be excluded from coverage under a warlike-act exclusion, New Jersey appellate division judges said in a decision released Monday.
“The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” the judges wrote. “Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit.”
Merck is pleased with the decision, a spokesman for the Rahway, N.J.-based pharmaceutical company said. Lawyers for Merck’s insurers didn’t respond to a request for comment.
The court’s decision, which upholds a lower court’s ruling, is a blow for insurers who have in recent years suffered costly losses from a sharp increase in cyberattacks.
The 2017 NotPetya attack at the center of the court case disrupted computer systems worldwide. Thousands of Merck computers were damaged after malware entered the pharmaceutical company’s systems through accounting software used in the company’s Ukraine operation.
The U.S. and other countries attributed the attack to Russia, and U.S. federal prosecutors brought related criminal charges, but the U.S. in its response didn’t liken the attack to armed hostilities. The Russian government has denied involvement.
“The United States didn’t say ‘NotPetya is an act of war against the United States and we’re going to launch a military response,’” Mark Mosier, a lawyer representing Merck, said at oral arguments in February.
Insurers, though, argued that the state-linked action should be considered a warlike act. Almost all kinds of insurance exclude coverage for war to try to protect insurers from the runaway losses that can occur in a conflict between nations.
“It was a virtual cyber nuclear attack,” Philip C. Silverberg, a lawyer representing several of Merck’s insurers, told judges in February.
Trade groups representing a range of sectors, from manufacturers to restaurateurs, supported Merck’s position, arguing that categorical exclusions in insurance policies should be read narrowly.
“The court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail,” said David Cummings, a lawyer for insurance-related nonprofit organization United Policyholders.