COURT RULES THAT WAR EXCLUSION DOESN’T BAR MERCK’S $1.4B CYBER LOSS HOLDING INSURERS SHOULD HAVE UPDATED THEIR OLD EXCLUSION
SUPPORTING TESTIMONY PROVIDED BY POLICYHOLDER INSURANCE EXPERT WITNESS TY SAGALOW
In June of 2017 a cyberattack known as NotPetya caused massive damage to computer systems worldwide. Numerous governments, including the United States, accused Russia of orchestrating the attack which oriented in the Ukraine but quickly spread in computers in other countries including Merck’s systems in New Jersey causing over one billion dollars of damages. Merck’s property insurance carriers denied the claim based on the policy’s War Exclusion which largely mimicked ISO traditional war exclusion.
The Court held that even assuming that the cyberattack could be considered a cyberwar or cyber “hostile act” the exclusion did not apply to cyber events concluding that:
“It is also self-evident, of course, that both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, insurers did nothing to change the language of the exemption [sic] to reasonably put this insured on notice that it intended to exclude cyber attacks. Clearly that had the ability to do so. Having failed to change the policy language. Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
The Court decision parallelled Policyholder expert witness Ty Sagalow opinion which provided in in his expert report and deposition testimony arguing that the insurer’s failure to update the traditional war exclusion to specifically include cyber events (infact to do so to include additional reasonable guidance as to when a policyholder can expect a “mere” cyber attack to be considered an “act or war”) meant that the carrier’s War Exclusion cannot be applied to the claim.