Cyber insurance concept banner header.To borrow a term from the 2020 lexicon, 2022 was an "unprecedented" year for cyber coverage claims. The nature of cyberattacks continued to evolve both in scope and sophistication, and insurance companies have sought to impose more onerous impediments to obtaining coverage. Despite insurance companies adopting more aggressive postures against covering cyber claims, 2022 provided policyholders with significant wins. The article summarizes the key cyber coverage decisions of 2022—and from a policyholder's viewpoint, the good, the bad, and the in-between.

War Means 'War': Insurance Industry's Attempt To Expand the Traditional 'War' Exclusion Rejected. The New Jersey Superior Court's decision in Merck & Co. v. ACE American Ins. Co., No. UNN-L-002682-18, 2022 WL 951154 (N.J. Super. Ct. Law Div. Jan. 13, 2022), provided policyholders with an important win, ruling that a standard exclusion for loss caused by acts of war, under an all-risk property policy, did not bar insurance coverage for Merck & Co.'s losses stemming from the "Notpetya" cyberattack of 2017. The war exclusion purported to bar coverage for losses caused by "hostile or warlike action … by any government … or by any agent of such government." Merck's insurance companies argued that the exclusion barred coverage for Merck's losses because the Notpetya malware attack had been launched as an instrument of the Russian Federation in its ongoing hostilities with Ukraine.

The court rejected the insurance companies' interpretation, and agreed with Merck that the war exclusion only applied to traditional acts of warfare, involving armed forces. In so concluding, the court adopted the "ordinary meaning" of the terms used in the exclusion as referring to "actual hostilities" in a war. Significant to the court's decision was the fact that the war exclusion had never been applied outside the ordinary confines of traditional warfare. Additionally, because cyberattacks have been a known risk, the court reasoned that the insurance companies had ample time to update their policies to expressly bar coverage for cyberattacks—if they had so desired—but that they had not done so. Accordingly, the court granted summary judgment to the policyholder that the war exclusion did not apply.