Brave new world of cyber insurance meets old world contract principles
The coverage provisions in the policy were not at issue. The case turned solely on the application of the 'hostile' or 'warlike' exclusion.
The demand and growth of cyber insurance reflects the havoc wreaked by hacks, data breaches and phishing attempts, which have become bolder because cybersecurity extorting businesses has proved lucrative. The first reported appellate decision was recently approved for publication.
In Merck v. Ace American Insurance Co., N.J. Super. (App. Div. 2023), the court was confronted with an issue under an “all risks” policy on which Merck made a claim after a cyberattack infected and damaged thousands of computers in its global network. The carriers denied coverage under a “hostile/warlike action” exclusion. Summary judgment was granted to plaintiffs, the trial court finding that the exclusion did not apply. The Appellate Division concluded the insurance carriers did not demonstrate that the cyberattack was a “hostile” or “warlike” action as contemplated by the exclusion, and, therefore affirmed the trial court summary judgment order.
The coverage provisions in the policy were not at issue. The case turned solely on the application of the “hostile” or “warlike” exclusion.
The opinion begins its analysis by reviewing well-established contract interpretation principles: Once it is shown that a claim falls within a policy’s coverage, the insurer bears the burden of establishing that an exclusionary provision applies; policy exclusions must be construed narrowly; and if the terms of an exclusionary clause are ambiguous, courts apply the meaning that supports coverage, rather than one that limits it. Faced with well-settled principles of insurance coverage law, the insurers conceded that “warlike” might not be applicable and asserted “hostile” should be read in its broadest possible sense as meaning “antagonistic,” or “unfriendly” or ”showing a desire to harm.”
There is no judicial precedent regarding “hostile/warlike” exclusions, but the New Jersey Supreme Court has consistently required insurers to speak in plain language before enforcing an exclusion. The court found that in Merck’s case, coverage would only be excluded if “we stretched the meaning of ‘hostile’ to its outer limit in a cyberattack when the culprit was a non-combatant firm fully outside the context of any armed conflict or military object.” That would obviously conflict with New Jersey’s basic construction principles requiring a court to narrowly construe an insurance policy exclusion.
Ultimately, the court affirmed the trial court’s grant of the plaintiff’s summary judgment motion because the losses were caused by a malware attack made by an opportunistic ransomware organization not known to be related to any state-sponsored activity.
The court further explored the history of “war” exclusions, which led the court to conclude that there was a long and common understanding that terms similar to “hostile” or “warlike” actions are clearly connected to war or, at least, to military action or a military objective. Therefore, because of (1) the plain language interpretation of exclusions, (2) burden of proof required to sustain exclusions, (3) history of similarly worded exclusions, (4) and the manner in which they have been interpreted by courts in other jurisdictions, the exclusion was held to be inapplicable to Merck’s coverage lawsuit.
An important point to take away is that, although a new policy developed to address a major business problem, wedded to language not previously construed by a New Jersey court, was resolved by employing well-recognized principles of insurance coverage law. We applaud the court on its analysis.
Related: