When Does a Cyber Attack Become an 'Act of War'? A Critical Ruling for Cyber Insurance

Imagine your business suffers a devastating cyber attack that cripples operations and destroys critical data. You file a claim with your cyber liability insurance provider, only to be denied because the insurer declares the incident an "act of war"—an excluded event under your policy. This exact scenario unfolded for multinational corporations following the 2017 NotPetya attack, leading to a landmark US court case that redefined how cyber insurance policies interpret war exclusions. This ruling has profound implications for your business's data breach coverage and ransomware protection.

The NotPetya Attack: A $1.4 Billion Wake-Up Call

In 2017, the NotPetya malware worm caused global havoc. Unlike typical ransomware designed for financial extortion, NotPetya aimed for permanent, irreversible destruction of data. While primarily targeting Ukraine, its collateral damage spread worldwide, hitting companies like Beiersdorf and the US pharmaceutical giant Merck & Co. Merck reported staggering losses of approximately $1.4 billion due to business interruption and the costly replacement of decimated IT infrastructure.

Merck, believing it was covered under its cyber insurance policy for data loss from cyber attacks, filed a claim. Their insurer, ACE American (now part of Chubb), denied it. The insurer's argument? The NotPetya attack was an "act of war" allegedly perpetrated by a state actor, and such acts were explicitly excluded from coverage. This denial sparked a pivotal legal battle over policy language and the very nature of modern cyber warfare.

The Landmark Ruling: Merck vs. ACE American

In 2019, Merck sued ACE American for coverage. In a significant 2022 interim ruling, a New Jersey Superior Court judge sided largely with Merck. The court found that the insurer's "war exclusion" clause was ambiguous when applied to cyber attacks. The judge reasoned that:

• The policy language was traditionally understood to cover physical, kinetic warfare.
• The insurer failed to explicitly clarify that cyber warfare or state-sponsored cyber attacks would also be excluded.
• Merck could reasonably expect coverage for a cyber attack, as the policy did not contain clear, modernized language excluding digital acts of war.

This decision underscores a critical gap in many business insurance policies: outdated language that doesn't account for 21st-century digital threats. While a major victory for policyholders, it's important to note this was an interim ruling on coverage applicability, not a final order for payment.

Broader Implications for Cyber Insurance Policyholders

Merck's case is not isolated. Mondelez International (owner of brands like Toblerone) also faced massive disruptions from NotPetya and is in a similar dispute with its insurer, Zurich, which also cited the "act of war" exclusion. These cases highlight a systemic issue within the cyber insurance market.

Experts like Jörg Wälder, CEO of the Cogitanda Group, point out that insurers historically underpriced cyber risk policies based on pre-2016 data, severely underestimating the potential scale of attacks like NotPetya and WannaCry. In response, the industry is now aggressively raising premiums and tightening policy terms.

Expert Analysis: The Path Forward for Clarity

Ole Sieverding, Managing Director of a leading IT security firm, welcomed the court's decision. He argued that compromises of IT systems by malware—which can be executed without state military resources—should not be classified as war. "The path of denial based on a war exclusion is the wrong one," Sieverding stated. "It should only be done through careful review of all currently agreed insurance conditions and the inclusion of a transparent and clearly formulated cyber exclusion. Court-untenable denials of claims enormously damage the trustworthiness of insurers."

His insight points to the solution: transparent insurance policies with clear, modern exclusions. The ruling forces insurers to explicitly define what constitutes a cyber "act of war" rather than relying on ambiguous, century-old clauses.

What This Means for Your Business: Actionable Steps

This legal precedent is a crucial lesson in risk management. To protect your organization, you must be proactive:

1. Review Your Policy Meticulously: Don't assume your commercial cyber insurance covers all digital threats. Scrutinize the exclusions section, specifically looking for terms like "hostile or warlike action," "cyber war," or "cyber terrorism." Ask your broker for explicit definitions.
2. Demand Clarity and Modern Language: When renewing or purchasing a cyber insurance policy, insist on clear, unambiguous language regarding state-sponsored attacks and cyber warfare. Seek policies that define these terms or, ideally, do not exclude them silently.
3. Strengthen Your Cybersecurity Posture: Insurance is a financial backstop, not a prevention tool. Invest in robust data security measures, employee training, and incident response plans. A strong defense reduces your risk profile and can lead to better insurance terms.
4. Consult a Specialist Broker: Work with an insurance broker or advisor who specializes in cyber risk. They can help you navigate the complex market, compare policies effectively, and ensure you obtain the broadest coverage possible for your needs.

The Merck ruling has reset expectations, placing the burden on insurers to communicate exclusions clearly. For your business, it emphasizes that in the digital age, understanding the fine print of your cyber liability coverage is not just advisable—it's essential for survival. Ensure your coverage matches the reality of modern threats, so you're never left debating semantics after a devastating attack.