Via Bruce Schneier, the New Jersey Superior Court has found that the NotPetya attack that disabled much of Merck's shipping network in 2017 was not an act of war by the Russian government, and therefore Merck's insurer may be on the hook for a $1.4 billion payout:
The parties disputed whether the Notpetya malware which affected Merck's computers in 2017 was an instrument of the Russian government, so that the War or Hostile Acts exclusion would apply to the loss.
The Court noted that Merck was a sophisticated and knowledgeable party, but there was no indication that the exclusion had been negotiated since it was in standard language. The Court, therefore, applied, under New Jersey law, the doctrine of construction of insurance contracts that gives prevalence to the reasonable expectations of the insured, even in exceptional circumstances when the literal meaning of the policy is plain.
The Court also noted that under New Jersey law, 'all risks' policies extended coverage to risks not usually contemplated by the parties unless a specific provision excluded the loss from coverage.
36 Group's article included the court order from December 6th. The ruling only applies to New Jersey, but I expect insurance companies will take hard looks at all of their "all risks" policies to see how much exposure they could have to another cyberattack. I suspect insurers will start demanding people protect their networks better, too, the way they have encouraged people to buy safer cars.
It might also bankrupt Ace American Insurance Co., but that won't change the follow-on effects of this ruling.