Although the traditional “boots on the ground” version of warfare certainly still happens, cyber warfare may be a component of modern national conflicts. But does this mean that what constitutes an “act of war” or a “warlike act” is now broader than the traditional forms of war in mind when war exclusions were first developed? There was a 38% increase in global cyberattacks in 2022 compared to 2021. Many threat actors carrying out these attacks are alleged or suspected to be associated with (or part of) nation-states and governments. Thus, in the cyber liability insurance context, the difficulty becomes whether war exclusions will foreclose coverage for acts of “cyber warfare.”

The potential application of a war exclusion for cyberattacks that may constitute acts of cyber warfare was recently addressed in Merck & Co. v. Ace American Insurance Co., Case No. UNN-L-2682-18, 2021 N.J. Super. Unpub. LEXIS 4566 (N.J. Sup. Ct. Dec. 6, 2021). Although this case involves an “all-risk” property insurance policy, it may provide further guidance on how a war exclusion may – or may not – apply in the cyber liability insurance context. At issue in Merck is whether a war exclusion in Merck’s all-risk property insurance program, which provides coverage for business income loss (among other things), precludes coverage for approximately $1.4 billion in damages that Merck suffered after falling victim to the NotPetya ransomware attack in spring 2017. Specifically, Merck’s insurers argued that the war exclusion applied because, they asserted, the NotPetya malware was deployed by Russia to disrupt and destabilize Ukraine. The New Jersey Superior Court sided with Merck, holding that the language of the exclusion did not reach cyberattacks such as NotPetya and that the insurers “did nothing to change the language of the [exclusion] to reasonably put this insured on notice that it intended to exclude cyberattacks.” The New Jersey Appellate Division affirmed. See Merck & Co. v. Ace Am. Ins. Co., No. A-1879-21, 2023 N.J. Super. LEXIS 43 (N.J. Super. Ct. App. Div. May 1, 2023). The Appellate Division agreed with the Superior Court “that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’” As the risk of cyberattacks continues to increase, certain insurers have revised their war exclusions in an attempt to restrict or preclude coverage for cyberattacks committed by or on behalf of sovereign and/or quasi-sovereign entities. For instance, in August 2022, Lloyd’s announced that as of March 2023, insurers selling through the Lloyd’s platform are required to include exclusions for cyberattacks involving state actors in their cyber liability and certain other policies. The Lloyd’s language seeks to remove the requirement that a formal declaration of war is necessary to apply the exclusion. The Lloyd’s language has not, however, been consistently rolled out to policyholders.

Although we have yet to see how these newly crafted exclusions will apply in real-world claims, these potential new, more restrictive forms of the war exclusion may pose practical problems for policyholders. For example, questions of attribution to sovereign entities are, in many cases, inconclusive, such that coverage may be uncertain. A nation-state’s willingness to declare an event “war” may be subject to political or diplomatic concerns. Additionally, to the extent that more favorable terms and conditions are negotiable, companies may continue to see historically high costs for purchasing adequate cyber liability coverage.