top of page


Cyberattack Might Not Be War-Worthy

Share to:

War risk exclusion has been included especially in commercial property insurance policies for a long period of time.  Recently, a New Jersey Appellate court addressed the modern application of the war risk exclusion.

Plaintiff Merck & Co., Inc. (“Merck”), a multinational pharmaceutical company based in New Jersey, believed it was entitled to insurance coverage under the “all risks” property insurance policies issued by multiple defendants after a cyberattack damaged thousands of Merck’s computers in its global network.  The subject cyberattack was caused by a malware that started from a Ukraine accounting company used by Merck that processes invoices and financial data to the Ukrainian government.  Defendants denied coverage under the “Hostile/Warlike Action” exclusion within the policies.  Merck & Co. v. Ace Am. Ins. Co., 475 N.J. Super. 420 (App. Div. 2023).

The property coverage clause states: “This policy insures against all risks of physical loss or damage to property, not otherwise excluded in this policy, while at an Insured Location except as hereinafter excluded.”  Physical loss is defined as “any destruction, distortion or corruption of any computer data, coding, program or software except as excluded specifically in clause 6.M., Electronic Date Recognition Exclusion, and as hereinafter excluded.”

Under New Jersey law, insurance policy exclusions are construed narrowly.  The Appellate court ruled that the plain language of the Hostile/Warlike exclusion does not apply to a cyberattack on a non-military company that services non-military consumers, even if the alleged cyberattack was initiated by a private actor or a “government or sovereign power.”  Further, the Court dived into the history behind the war risk exclusion.  The purpose of the war risk exclusion is to “eliminate the insurer’s liability in circumstances in which it is impossible to evaluate the risk.”  Considering the history and intent of the war risk exclusion, the Court pointed out that the cyberattack at hand was not sufficiently linked to a military action in order for the war risk exclusion to apply.

Headshot of Staff Member


bottom of page