On March 21, 2022, President Biden warned the nation that intelligence reports indicated that Russia was exploring cyberattacks against American companies, stating "… one of the tools [Putin is] most likely to use in my view, in our view, is cyberattacks." This escalated threat comes on the heels of the imposition of severe sanctions on Russia as a result of its invasion of Ukraine. This increased risk of potentially devastating cyberattacks occurs amidst an already fraught environment in which ransomware attacks more than doubled in 2021 (see Amiah Taylor, There's a huge surge in hackers holding data for ransom, and experts want everyone to take these steps, (Feb. 17, 2022)) and, after a brief retreat this past January, is back on the rise. As a result, cyber-insurance providers have had to reevaluate how to account for the additional risk posed by cyber-attacks in a war-time setting. It is against this already-complicated background that made the December 2021 decision in Merck & Co., Inc. and International Indemnity v. Ace American Insurance Company, Case No. UNN-L-2682-18 (N.J. Sup. Ct.), by a New Jersey Superior Court notable for its potential consequences to the cyber-insurance market for small to medium-sized American businesses.

Despite the massive increase in cyber-attacks facing American companies over the last five years, the risk of a direct Russian cyber-attack on smaller companies is unlikely. Rather, while the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware. The best known example of this is of course the NotPetya attack. In the summer of 2017, Russia launched a ransomware attack against a Ukrainian tax preparation software company as part of its years-long assault on Ukraine. The attack led to the infection of dozens of Ukrainian companies and institutions, including the National Bank of Ukraine, but almost immediately created global ripples, leading eventually to billions of dollars in damages. Victims included international shipping behemoth Maersk, Mondelez International, and pharmaceutical giant Merck, but also much smaller entities. Regardless of size, these victims found themselves completely locked out of their networked systems, grinding them to an operational standstill. In effect, they had become collateral damage in Russia's cyber-campaign against Ukraine.

In the aftermath of NotPetya, both Mondelez and Merck looked to their insurers to cover costs. Merck sought to invoke its all-risk property insurance policy with Ace American to cover more than $1.4 billion in losses it had sustained. This policy, unlike more focused cyber-insurance policies, contained an industry-standard war exclusion. In pertinent part, the exclusion indicated that the policy did not apply to "Loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power (de jure or de facto) by any authority maintaining or using military, naval or air forces … or by an agent of such government." Ace American relied on this exclusion to disclaim coverage, claiming that NotPetya was "an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine." After lengthy proceedings the court found in December 2021 in an 11-page decision that Merck was indeed entitled to summary judgment on the grounds that the warlike exclusion was inapplicable to the type of attack that Merck had sustained. In rendering its decision, the court relied heavily on contract rules of construction to determine Merck's "reasonable expectations," noting that in the context of all-risk policies, "[e]xclusions 'will be given the interpretation which is most beneficial to the assured" (citing Holiday Inns. v. Aetna Ins. Co., 571 F. Supp. 1463 (SDNY 1983) and Pan American World Airways v. Aetna Casualty & Surety, 368 F. Supp. 109 (SDNY 1973)). The court further stated that, despite the knowledge that cyber-attacks had "become more common," Ace American's failure to change the exclusion's language meant Merck "had every right to anticipate that the exclusion applied only to traditional forms of warfare." The decision, however, did little to address issues of attack attribution, which is likely to be a focal point of future similarly situated cases, thereby failing to provide certainty and instead suggesting that carriers will have to provide carve outs for multiple factual permutations. (The New Jersey Appellate Division granted Ace American's motion for leave to appeal on February 24th).