Hunton Insurance Recovery Blog

The Supreme Court of New Jersey recently agreed to hear ACE American Insurance Company’s appeal of an Appellate Division decision finding that a war exclusion in a property insurance policy did not preclude coverage for Merck & Co., Inc.’s claim stemming from a 2017 cyberattack. We previously reported about this case here.   

The Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack. The decision is appropriately being heralded as a huge win for policyholders and an affirmance of New Jersey’s longstanding history of protecting policyholders’ reasonable expectations. We previously blogged about developments relating to the war exclusion and the Merck case when it was initially heard by the Appellate Division.

Update: On May 1, 2023, the New Jersey appeals court affirmed the trial court's decision that a war exclusion did not bar $1.4 billion in coverage for Merck’s losses stemming from the NotPetya attack.

On June 27, 2017, the skies over New Jersey were clear and the ground steady. But Merck & Co., a New Jersey-based pharmaceutical company, was under attack. Malware ripped through its computers, damaging 40,000 of them and causing over $1.4 billion in losses.

Merck was not the sole target.^[1] Dubbed “NotPetya,” the virus tore through the US economy,^[2] and did an estimated $10 billion in damage. The US Department of Justice charged six Russian nationals, alleged officers of Russia’s Intelligence Directorate (the GRU), for their roles in the NotPetya attack, among others. The attackers’ goal, according to the DOJ, was:

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

In an article appearing in CyberInsecurity News, Hunton insurance recovery partner, Michael Levine, comments on Zurich American Insurance Company’s attempt to invoke a so-called “war exclusion” as a basis for not paying business income losses suffered by snack food giant Mondelez International.  As Levine expains, so-called “war exclusions” have rarely been invoked and only then, in times of clear military or state-sponsored activity.  The Mondelez case will therefore focus on whether a computer attack was indeed an act of war and, importantly, whether and how Zurich ...

Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.