Abstract
The rise of large-scale, state-linked cyber operations has revealed significant tensions within cyber-insurance law, especially regarding the ongoing reliance on traditional “act of war” and “hostile or warlike action” exclusions. These exclusions were created during a time of active conflict and territorial warfare. Insurers increasingly use them to deny coverage for cyber incidents linked to state actors. This paper examines the legal soundness of these exclusions by analyzing Merck & Co. v. Ace American Insurance Co., which emerged from the NotPetya malware attack and led to historic global losses. Through a close examination of U.S. insurance law, including Merck, Mondelez, and earlier cases related to war exclusions, the paper shows that courts have generally refused to expand these exclusions beyond their historical limits unless there is clear and specific policy language. The study also places these legal developments in the context of changing regulations, particularly the 2024–2025 Lloyd’s of London mandates that call for clarity on exclusions related to state-backed cyber operations. The paper argues that current legal definitions of “war,” “hostility,” and “sovereign action” do not fit the realities of cyberspace. In this domain, attribution is uncertain, operations happen continuously across borders, and damage is mostly economic rather than physical. Relying on attribution-based exclusions could make cyber insurance ineffective and may not meet policyholders’ reasonable expectations under all-risk policies. To fix this issue, the paper suggests shifting to a “functional impact” approach for analyzing exclusions. This method would focus on the nature and effects of the cyber event instead of its political context. Such an approach would better align the concerns of insurers with contractual certainty, maintain the risk-transfer purpose of cyber insurance, and provide a clearer framework for resolving cyber-related coverage disputes in today’s digital world.
Keywords:Cyber Insurance; Act of War Exclusion; State-Sponsored Cyber Operations; Attribution in Cyberspace; Merck v. Ace American
Introduction
As this distinction between crime and war further erodes, the role of cyber insurance as a contested and crucial tool for distributing digital risks remains at a focal point. Among the contested issues of cyber insurance is the exclusion of the “act of war,” which is among the clauses drawn from traditional insurance principles and is insufficient to deal with the complexity of cyber conflicts. Originally drawn to protect against kinetic wars and conflicts between states, the exclusion is placed in a state of flux due to its application to cyberattacks not characterized by the traditional element of war. The difficulty in determining what “hostility” means in this context highlighted its significance most recently in the Merck & Co v Ace American Insurance Company legal case relating to the NotPetya cyber-attack[1]. However, the rejection of the insurance company’s invocation of the act of war exclusion highlights the significant shift in the assessment of cyber risks using traditional insurance products. Indeed, this paper seeks to analyze the legal reasoning behind this particular legal case to assess how this issue fits with the wider legal determinism for interpretation relating to insurance contracts. Arguably, this paper shall seek to analyze the changing determinism relating to hostility within the context of cyberspace, highlighting its implications for the insurance industry today and in the future.
Research Questions
- How have courts interpreted traditional “act of war” and “hostile or warlike action” exclusions in the context of cyber incidents, particularly in Merck & Co. v. Ace American Insurance Co. and related jurisprudence?
- What principles of insurance contract interpretation—especially the reasonable expectations doctrine and narrow construction of exclusions—govern the applicability of war exclusions to cyber-related losses?
- Why does attribution of cyber operations to sovereign states pose doctrinal and policy challenges for the application of war exclusions in cyber-insurance disputes?
- Can a functional, impact-based approach to cyber incidents offer a more coherent framework for determining the scope of cyber-insurance exclusions while balancing insurer solvency and policyholder protection?
Research Objectives
- To Analyze the judicial reasoning in Merck and Mondelez to identify the current legal threshold for “warlike” actions in cyberspace.
- To Evaluate the shift from “War” exclusions to “State-backed Cyber-Operation” exclusions in modern policy drafting.
- To Propose a standardized legal framework for “Digital Attribution” that can be used in arbitration and litigation.
- To Recommend policy interventions (such as government-backed backstops) for “catastrophic cyber-risk” that the private market refuses to cover.
Review of literature
As a consequence, the interface of cyber insurance with traditional policy exclusion clauses has given rise to a large body of doctrinal debate as the law struggles to strike a balance between well-established insurance law principles and the realities of cyber risks. Early foundational writing focused on the evolution of the cyber insurance industry, which noted that a significant degree of ambiguity applied to exclusion clauses due to policies which had been entered into before the realization of cyber risks as a threat.
In terms of exclusion interpretation, in U.S. jurisprudence, wars, hostilities, and other similar exclusions are generally viewed disfavorably. This is especially true in situations in which coverage is generally broad. These rules, such as contra proferentem and reasonable expectations have been established in jurisprudence prior to the time that cyber issues began to surface in traditional litigation.
An important part of this literature involves the litigation stemming from a NotPetya malware attack and its effect on corporate property. In Merck & Co. v. Ace American Insurance Co., Merck sought to make a claim of $1.4 billion under an “all-risk” policy after a NotPetya cyber attack inhibited system functionality.[2] The hostile or war-like action exclusion, which was traditionally used to exclude damage caused by acts of war, was raised by the insurer.[3]
However, such an interpretation by the insurance company was rejected not just by the trial court but also by the New Jersey Appellate Division. The reasoning behind this rejection rested on the fact that the language of the exclusionary provision had been crafted at a time when “cyberattacks” were not contemplated—thereby failing to clearly address malware. The need for the courts to refrain from interpreting traditional “war” exclusions to reach “state-sponsored cyber actions” without “clear textual language” warranted the same rejection.[4]
This aspect has been highlighted by scholars who have studied Merck. Shniderman, in his work on Merck, for instance, he says that “even if a cyber event triggering a ‘war/hose acts’ exclusion could be said to raise attribution concerns, these changes inject definitional concerns into such a determination under a typical exclusion.”[5] Similarly, another scholar points out that “courts have traditionally been unwilling to stretch ‘war exclusion’ beyond kinetic conflicts.”[6]
Related litigation claims, such as those in Mondelez Int’l v. Zurich Am. Ins. Co., involved similar verbiage, with insurers advancing exclusionary defense claims that attempted to target NotPetya-related loss claims in several jurisdictions.[7] While several of these cases have reportedly settled, they demonstrate the risk and confusion that remains in litigation pertaining to cyber exclusion clauses.[8]
In addressing this concern, some thinkers argued for necessary changes in the manner of drafting contracts and suggested including specific exclusions relating to cyber war/warlike actions with precise definitions appropriate for cyber operations.[9] Another measure proposed relates to a regulatory or legislation-based mechanism to standardize exclusion clauses with a view to avoid ambiguity and enhance market stability.[10]
In summary, therefore, the literature represents an evolving dialogue in which insurance traditional principles offer interpretive aids with coverage presumptions in ambiguous exclusion clauses. Recent American cases such as Merck have encouraged courts to apply requirements of clear text before any consideration of war-era exclusions in cyber incidents, and recent scholarship promotes modernizing contracts to help account for cyber-specific qualities.
Relevant case laws
- Merck & Co. v. ACE American Insurance Co., No. A-1879-21 (N.J. Super. Ct. App. Div., May 1, [11]: In the New Jersey Appellate Division case, it was determined that the “hostile or war-like action” exclusion provisions of the property insurance policy did not apply to Merck’s losses due to the NotPetya cyberattack because they are traditionally directed to actual wars. In fact, the exclusion provisions have never been applied outside of actual war or military actions.
- Merck — New Jersey Supreme Court Appeal (Pending): The state’s highest court granted an appeal by several insurers, highlighting the lingering legal uncertainty surrounding how traditional exclusions apply to cyber events.
- Universal Cable Productions, LLC v. Atlantic Specialty Insurance Company, 929 F.3d 1143 (9th Cir. 2019[12]): The Ninth Circuit ruled that the insurer breached its contract in disputing losses stemming from Hamas rocket attacks, under exclusions for losses due to war, as well as warlike action by a military entity, on the basis that those terms have a specialized definition which entails conflict between a pseudo-sovereign entity, which does not exist, or a sovereign entity, which does not exist. Summary judgment was ordered against the insurer.
- Holiday Inns, Inc. v. Aetna Insurance Co., 571 F. Supp. 1460[13] : In an insurance case long relied upon by various courts, including Universal Cable, the Southern District Court of New York decided that violent actions by non-state groups (Palestinian and Lebanese factions) are not within a war clause as a “war” contemplated by an insurance policy usually means one between sovereign powers.
- Pan Am World Airways v. Aetna Casualty & Surety Co., 505 F.2d 989 (2d Cir. 1974)[14]: One of the earliest significant cases from the Second Circuit on the meaning of “war” in insurance law as including conflicts of entities possessing sovereign attributes, used in Universal Cable.
POLICIES
I. Policy Imperative for Reassessing “Act of War” Exclusions in Cyber Insurance
The exponential growth of cyber operations attributed to state and quasi-state actors has placed unprecedented strain on traditional insurance law doctrines. Among these, the “act of war” exclusion has emerged as one of the most contested contractual mechanisms in cyber insurance litigation. Historically, this exclusion served a narrow and well-defined purpose: to remove from the scope of private insurance those risks arising from sovereign armed conflict, which were considered unquantifiable, catastrophic, and inappropriate for actuarial pooling.[15]
The foundational assumption underlying this exclusion was that war constituted an exceptional condition—both temporally and spatially—marked by physical violence, territorial invasion, and identifiable combatants.
Cyberspace fundamentally disrupts these assumptions. Cyber operations are continuous rather than episodic, borderless rather than territorial, and frequently conducted through layers of deniability. Despite these differences, insurers have increasingly attempted to rely on traditional war exclusions to deny coverage for cyber incidents that merely bear alleged connections to state actors. This trend has produced doctrinal instability, commercial uncertainty, and litigation that exposes the inadequacy of legacy exclusions in addressing modern digital risks.
The Merck & Co. v. Ace American Insurance Co. litigation represents a watershed moment in this context. The New Jersey court rejected the insurer’s attempt to extend a conventional war exclusion to a state-linked cyberattack, emphasizing that exclusions drafted decades earlier could not be retrofitted to encompass cyber operations due to absence of clear and explicit language.[16] This judicial stance underscores a broader policy imperative: the continued application of traditional war exclusions to cyber risks without substantive revision undermines both legal certainty and market confidence.
II. Structural Misalignment Between Cyber Risk and Traditional Insurance Doctrine
A core policy concern arises from the structural mismatch between cyber risk characteristics and the foundational logic of war exclusions. Insurance law has long recognized that exclusions must be interpreted narrowly, particularly where they operate to defeat coverage under broadly worded “all-risk” policies.[17] This principle reflects an understanding that policyholders reasonably expect protection against unforeseen losses unless exclusions are clearly articulated.
Cyber risks, however, occupy a liminal space between conventional categories of loss. They may resemble criminal activity, espionage, sabotage, or military action, often simultaneously. Unlike kinetic warfare, cyber operations do not necessarily result in physical destruction or casualties, yet they can produce financial losses of immense magnitude. The absence of physicality, challenges the conceptual boundaries of “hostility” as traditionally understood in insurance law.
From a policy perspective, allowing insurers to invoke war exclusions based solely on alleged state involvement risks collapsing this distinction altogether. If every sophisticated cyberattack can be framed as an extension of geopolitical rivalry, then the scope of cyber insurance coverage becomes illusory. This outcome would be inconsistent with the reasonable expectations of policyholders and would effectively transfer systemic cyber risk back onto private enterprises, contrary to the risk-spreading function of insurance markets.
III. Judicial Policy Signals Emerging from Merck and Related Litigation
Judicial responses to cyber war exclusions reveal an emerging policy consensus that courts should resist expansive interpretations of exclusionary language. In Merck, both the trial court and the appellate division emphasized that the insurer bore the burden of demonstrating that the exclusion unambiguously applied to the cyber event in question.[18] The court declined to equate geopolitical attribution with contractual intent, signaling judicial reluctance to allow insurers to rely on post-hoc political narratives to defeat coverage.
This policy orientation is not isolated. In related litigation involving Mondelez International, Inc. v. Zurich American Insurance Co., insurers advanced similar arguments seeking to characterize the NotPetya malware as a warlike act.[19] While many of these disputes were resolved through settlement, the litigation itself reflects persistent uncertainty regarding the scope of cyber exclusions and highlights the systemic risk of inconsistent judicial outcomes.
The policy lesson from these cases is clear: courts are increasingly unwilling to allow war exclusions to function as a catch-all defense against cyber losses. This judicial skepticism serves an important stabilizing function, preventing insurers from unilaterally redefining coverage boundaries in response to evolving threat landscapes.
IV. Policy Challenges of Attribution and Sovereignty in Cyberspace
One of the most complex policy issues in cyber insurance concerns the attribution of cyber operations to sovereign states. Attribution in cyberspace is rarely definitive and often relies on probabilistic assessments rather than conclusive proof. Cyber operations frequently employ proxy actors, compromised infrastructure, and deceptive techniques designed to obscure origin.[20]
From an insurance law perspective, reliance on attribution poses significant risks. Allowing insurers to deny coverage based on government statements or intelligence assessments—often classified, politically influenced, or non-justiciable—places policyholders at a severe disadvantage. It also risks transforming insurance disputes into de facto adjudications of international responsibility, a role for which domestic courts are institutionally ill-suited.
The Merck court implicitly recognized this concern by refusing to treat state attribution as determinative in the absence of explicit policy language.[21] This approach aligns with broader principles of contractual interpretation, which prioritize the text of the agreement over external political considerations.
As a matter of policy, cyber insurance frameworks must grapple with the reality that attribution uncertainty is an inherent feature of cyberspace. Any legal regime that conditions coverage on definitive attribution risks systemic failure, as such certainty is often unattainable. Consequently, policy frameworks must either lower the evidentiary threshold or decouple coverage determinations from attribution altogether.
V. Market Fragmentation and the Role of Regulatory Oversight
The absence of standardized cyber exclusion clauses has resulted in significant market fragmentation. Insurers adopt divergent approaches to cyber war exclusions, ranging from broad state-backed attack exclusions to narrowly tailored clauses addressing specific scenarios. This variability undermines predictability for policyholders and complicates judicial interpretation.
Recognizing this instability, Lloyd’s of London introduced mandates requiring insurers to clarify whether cyber policies exclude losses arising from state-backed cyber operations.[22] While these mandates represent a meaningful policy intervention, their impact has been uneven. Different syndicates have adopted varying definitions, attribution standards, and carve-outs, perpetuating uncertainty rather than resolving it.
From a policy standpoint, fragmented drafting practices increase transaction costs, fuel litigation, and erode trust in cyber insurance markets. They also disadvantage smaller enterprises that lack the bargaining power or expertise to negotiate bespoke policy terms. Without regulatory harmonization, the cyber insurance market risks devolving into a patchwork of inconsistent obligations and exclusions.
VI. Systemic Risk, Insurability, and the Limits of Private Markets
Cyber risk presents characteristics that challenge the fundamental assumptions of private insurance. Large-scale cyber incidents may produce highly correlated losses across industries and jurisdictions, undermining diversification. Attacks targeting critical infrastructure—such as energy grids, financial systems, or healthcare networks—can generate cascading effects that exceed insurer capacity.[23]
These features raise serious policy questions regarding the insurability of certain categories of cyber risk. If insurers respond by expanding exclusions, coverage availability diminishes, undermining the very purpose of cyber insurance. Conversely, forcing insurers to absorb catastrophic cyber losses without adequate reinsurance mechanisms threatens market solvency.
Historical experience with terrorism insurance provides a useful analogue. Following the September 11 attacks, private insurers withdrew from terrorism coverage due to unmanageable risk exposure, prompting legislative intervention.[24] Cyber risk may follow a similar trajectory absent proactive policy measures.
VII. Policy Implications for the Concept of “Hostility” in Digital Contexts
At a conceptual level, the application of war exclusions to cyber incidents requires a re-examination of what constitutes “hostility.” Traditional definitions of hostility presuppose armed force and physical violence. In cyberspace, hostility may manifest through economic disruption, data destruction, or operational paralysis without any kinetic component.
From a policy perspective, equating cyber hostility with armed conflict risks doctrinal overreach. It collapses distinctions between espionage, sabotage, and warfare, leading to overbroad exclusions that undermine coverage. Courts, as seen in Merck, have resisted this collapse by insisting on textual clarity and historical context.[25]
The evolving jurisprudence suggests a policy shift toward understanding hostility as a function of impact rather than intent or attribution. Such an approach aligns insurance law with the functional realities of cyber operations and preserves the protective purpose of insurance contracts.
VIII. Policy Consequences for Corporate Risk Allocation
The uncertainty surrounding cyber war exclusions has significant implications for corporate risk allocation. Enterprises increasingly rely on cyber insurance as a core component of enterprise risk management. When exclusions are ambiguously drafted or expansively interpreted, firms are exposed to residual risks that they reasonably believed were transferred.
This misalignment undermines corporate planning, discourages investment, and shifts systemic cyber risk back onto private actors ill-equipped to absorb it. From a policy standpoint, such outcomes are undesirable, as they weaken economic resilience and exacerbate vulnerability to cyber disruption.
The Merck litigation illustrates how judicial insistence on clarity can recalibrate this balance, reinforcing the principle that exclusions must be clearly negotiated rather than opportunistically asserted.
IX. Toward a Coherent Policy Framework for Cyber Insurance
Taken together, these considerations point toward the necessity of a coherent policy framework that reconciles insurance law principles with cyber realities. Such a framework must acknowledge attribution uncertainty, systemic risk, and the evolving nature of digital hostility. It must also balance insurer solvency with policyholder protection, ensuring that cyber insurance remains a meaningful risk-transfer mechanism rather than a nominal product hollowed out by exclusions.
The judicial reasoning in Merck offers a foundational policy signal: cyber risks cannot be governed by analogies to kinetic warfare alone. Instead, they demand context-specific analysis rooted in contractual clarity, functional impact, and market stability.
Recommendations
The growing reliance on digital infrastructure across sectors has transformed cyber risk from a peripheral operational concern into a central legal and economic challenge. Cyber insurance has emerged as a crucial mechanism for transferring and managing these risks. However, litigation arising from large-scale cyber incidents has revealed significant limitations in the application of traditional insurance law principles to cyber-specific losses. In particular, the invocation of war and hostility exclusions in cyber-insurance disputes has exposed doctrinal uncertainty, contractual ambiguity, and systemic risk allocation failures. The following recommendations seek to address these shortcomings through coordinated reforms in policy drafting, regulation, adjudication, and market structure.
A primary recommendation is the modernization of exclusion clauses in cyber-insurance policies. Traditional war and warlike action exclusions were historically drafted in response to kinetic conflicts involving physical force, identifiable belligerents, and territorial boundaries. Applying such exclusions to cyber operations—characterized by anonymity, indirect attribution, and non-physical harm—creates interpretive confusion and undermines contractual certainty. Insurers should therefore abandon reliance on generic war exclusions for cyber losses and instead adopt cyber-specific exclusions that clearly define the nature of excluded events. These exclusions should specify whether state sponsorship alone is sufficient to trigger exclusion or whether the cyber operation must form part of an armed conflict recognized under international law. Precision in drafting will reduce litigation and align coverage outcomes with the expectations of both parties.
Closely linked to drafting reform is the need to address the attribution problem inherent in cyber incidents. Unlike conventional warfare, cyber operations often involve sophisticated obfuscation techniques, proxy actors, and hybrid forms of engagement that blur the line between state and non-state conduct. Insurance contracts should explicitly articulate how attribution is to be determined and identify the evidentiary standards applicable to such determinations. This may include reliance on official governmental statements, findings of recognized international bodies, or consensus assessments by independent cybersecurity experts. Without contractual clarity on attribution, disputes are likely to persist, placing an unreasonable evidentiary burden on insured entities and leading to inconsistent judicial outcomes.
Another important recommendation concerns the protection of policyholders’ reasonable expectations. All-risk cyber-insurance policies are typically purchased with the understanding that they provide broad coverage against unforeseen and evolving digital threats. When insurers invoke broadly worded exclusions to deny coverage for systemic cyber incidents, they undermine the fundamental risk-transfer function of insurance. Insurers should ensure that exclusions are not only narrowly drafted but also transparently disclosed during the underwriting process. Clear explanations of the scope and potential application of exclusions would reduce informational asymmetry and strengthen trust in the cyber-insurance market.
Regulatory intervention represents a further critical avenue for reform. Insurance regulators should play an active role in overseeing the use of cyber-related exclusions, particularly those purporting to exclude losses arising from war, hostility, or state-sponsored actions. Regulatory guidance or model clauses could promote consistency across the market and prevent post-loss reinterpretation of policy language. Such oversight would also help ensure that exclusion clauses do not defeat the purpose of mandatory or widely relied-upon cyber-insurance products, particularly in sectors deemed critical to national infrastructure and economic stability.
In addition to regulatory guidance, legislative action may be required to address the systemic nature of catastrophic cyber risks. Certain cyber incidents have demonstrated the potential to cause losses on a scale comparable to natural disasters or terrorist attacks. Private insurance markets alone may be ill-equipped to absorb such losses, particularly when multiple policyholders are affected simultaneously. Legislatures should therefore consider establishing public–private partnership mechanisms to provide backstop coverage for catastrophic cyber events. These schemes could enhance market stability, ensure compensation for affected entities, and prevent the withdrawal of coverage following major cyber incidents.
International coordination is another essential component of effective cyber-insurance reform. Cyber operations routinely transcend national boundaries, yet insurance disputes are resolved within domestic legal systems that may differ significantly in their interpretive approaches to exclusion clauses. This divergence creates uncertainty for multinational corporations and complicates risk assessment and pricing. International cooperation, whether through formal treaties or soft-law instruments, could facilitate the development of shared principles governing cyber-insurance exclusions. Such coordination would promote predictability and reduce the fragmentation of legal responses to transnational cyber risks.
Judicial capacity-building also warrants attention. Cyber-insurance disputes frequently involve complex technical issues relating to malware behavior, network vulnerabilities, and digital forensics. Courts may benefit from specialized training or the use of technical experts to assist in understanding these issues. Enhanced judicial familiarity with cybersecurity concepts would contribute to more consistent and informed decision-making, reducing the likelihood of doctrinal drift or overly expansive interpretations of exclusion clauses.
The role of academic scholarship in shaping cyber-insurance law should be actively encouraged. Scholarly analysis has already played a significant role in critiquing judicial approaches and proposing reforms to exclusion clause interpretation. Continued interdisciplinary research, combining legal doctrine with insights from cybersecurity, economics, and risk management, can help anticipate emerging challenges and inform evidence-based policymaking. Engagement between scholars, regulators, and industry stakeholders would ensure that reforms remain responsive to technological developments and market realities.
Addressing the issue of silent cyber risk is another key recommendation. Many legacy insurance policies neither expressly include nor exclude cyber-related losses, leading to disputes over coverage in the aftermath of cyber incidents. Regulators should require insurers to clearly affirm or exclude cyber coverage in all relevant policies. This approach would eliminate ambiguity, reduce litigation, and enable policyholders to make informed decisions about their risk management strategies.
From the perspective of corporate governance, insured entities must also adapt to the evolving cyber-insurance landscape. Corporations should undertake comprehensive reviews of their insurance portfolios to identify potential coverage gaps, particularly in relation to cyber war and state-sponsored attack exclusions. Engaging legal and technical experts during policy negotiation can help secure tailored endorsements or clarifications that better reflect the organization’s risk profile. Proactive risk assessment and policy customization will reduce reliance on uncertain judicial interpretations.
Finally, cyber-insurance should be integrated into broader cybersecurity policy objectives. Insurance mechanisms can play a preventive role by incentivizing robust cybersecurity practices through premium adjustments, coverage enhancements, or risk-sharing arrangements. Aligning insurance incentives with recognized cybersecurity standards would promote resilience and reduce the likelihood of large-scale incidents that strain both private and public resources.
Therefore, the challenges posed by cyber-insurance war exclusions reflect the broader tension between traditional legal frameworks and rapidly evolving technological realities. Judicial decisions have underscored the importance of clear contractual language and adherence to established insurance law principles. However, lasting solutions require a holistic approach involving insurers, regulators, legislators, courts, and policyholders. By modernizing policy language, enhancing regulatory oversight, promoting international cooperation, and integrating insurance with cybersecurity governance, the legal framework governing cyber insurance can be better equipped to address the risks of the digital age.
Conclusion
The evolution of cyber conflict has fundamentally disrupted traditional legal and commercial understandings of risk, liability, and protection. As cyber operations increasingly resemble instruments of geopolitical strategy rather than isolated criminal acts, the insurance industry has been forced to confront the inadequacy of long-standing contractual concepts designed for a very different era. The controversy surrounding the application of “Act of War” exclusions to cyber incidents represents one of the most significant fault lines in contemporary insurance law. This paper has demonstrated that the attempt to transpose kinetic war-era exclusions onto intangible, attribution-challenged cyber events has produced legal uncertainty, inconsistent outcomes, and a misalignment between insurer intent and policyholder expectations.
The litigation arising from the NotPetya cyberattack, particularly the decision in Merck & Co. v. Ace American Insurance Co., marks a pivotal moment in the jurisprudence of cyber insurance. By rejecting the insurer’s reliance on a traditional war exclusion, the courts reaffirmed foundational principles of insurance contract interpretation, including the requirement of clear and unambiguous drafting and the protection of the insured’s reasonable expectations. Importantly, the ruling underscored that exclusions drafted without contemplation of cyber operations cannot be retrofitted to deny coverage for digital losses of unprecedented scale. This judicial approach signals a broader reluctance to expand exclusionary clauses beyond their historical and textual limits, especially where such expansion would undermine the essential purpose of all-risk policies.
At the same time, the Merck decision does not eliminate the legitimate concerns of insurers regarding systemic cyber risk and state-sponsored cyber operations. The growing frequency and sophistication of such attacks pose genuine threats to the financial solvency of insurers and the stability of the global cyber-insurance market. However, this paper has argued that these concerns cannot justify the continued reliance on vague and antiquated exclusionary language. Instead, the emerging legal landscape demands precision, transparency, and adaptation to the unique characteristics of cyberspace.
The analysis further reveals that the central challenge in cyber-insurance disputes is not merely definitional but structural. Concepts such as “hostility,” “war,” and “state action” lack settled meaning in the cyber domain, where operations may occur below the threshold of armed conflict and attribution remains probabilistic rather than conclusive. Courts have responded to this uncertainty by insisting on clear textual authority before permitting insurers to exclude coverage based on alleged warlike conduct. This insistence reflects a broader judicial effort to prevent post-loss reinterpretation of policy terms and to preserve the integrity of contractual risk allocation.
In response to these developments, this paper has advanced the case for rethinking how cyber risks are classified and excluded. Moving away from formalistic reliance on traditional war definitions toward a functional assessment of the impact of cyber operations offers a more coherent and equitable framework. Such an approach recognizes that the consequences of a cyber incident—rather than its geopolitical characterization—are more relevant to determining insurability and coverage. By focusing on functional impact, the law can better balance the competing interests of insurers seeking predictability and policyholders seeking meaningful protection.
Ultimately, the future of cyber insurance depends on the ability of legal frameworks to evolve alongside technological and geopolitical realities. Judicial intervention, while crucial, cannot alone resolve the systemic challenges posed by catastrophic cyber risk. Coordinated action by insurers, regulators, legislators, and international bodies is necessary to establish clear standards for drafting, attribution, and risk sharing. Without such reforms, the continued expansion of cyber warfare will strain existing insurance models and erode confidence in cyber-insurance as a reliable risk-transfer mechanism.
In conclusion, the reinterpretation of “hostility” in cyberspace is not merely a technical exercise in contract law but a reflection of deeper shifts in how law responds to digital power and vulnerability. The post-Merck legal landscape offers an opportunity to recalibrate cyber-insurance doctrine in a manner that is principled, predictable, and fit for purpose. Whether this opportunity is seized will determine the role of insurance in managing cyber risk in an increasingly interconnected and contested digital world.
[1]Merck & Co. v. Ace Am. Ins. Co., No. A-1120-21, 2023 WL 131963 (N.J. Super. Ct. App. Div. Jan. 10, 2023).
[2]Merck & Co. v. Ace Am. Ins. Co., No. UNN-L-2682-18, slip op. at 2–3 (N.J. Super. Ct. Law Div. Dec. 1, 2021), aff’d, No. A-1120-21, 2023 WL 131963 (N.J. Super. Ct. App. Div. Jan. 10, 2023).
[3]Id. at 15–18 (discussing insurer’s reliance on the hostile or warlike action exclusion).
[4]Merck & Co. v. Ace Am. Ins. Co., 2023 WL 131963, at *6–8 (N.J. Super. Ct. App. Div. Jan. 10, 2023).
[5]Mark A. Shniderman, Cyber Insurance Coverage and the War Exclusion After Merck, 36 Computer & Internet Law. 1, 6–8 (2019).
[6]Tom Baker & Kyle D. Logue, Insurance Law and Policy: Cases and Materials 1033–34 (4th ed. 2017).
[7]Mondelez Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-CH-12155 (Ill. Cir. Ct. Cook Cnty. filed Oct. 10, 2018).
[8]Roberta Anderson et al., Cyber Insurance Litigation After NotPetya, 35 Prac. Litigator 27, 34–36 (2021).
[9]Daniel W. Woods & Tyler Moore, The Economic Impacts of Cyber Risk and Cyber Insurance, 34 J. Cybersecurity 1, 14–16 (2019).
[10]Organization for Economic Co-operation & Development (OECD), Enhancing the Role of Insurance in Cyber Risk Management 41–45 (2017).
[11]Merck & Co., A-1879-21 (N.J. Super. Ct. App. Div. May 1,
[12]Universal Cable Prods., LLC v. Atl. Specialty Ins. Co., 929 F.3d 1143 (9th Cir. 2019), Justia.
[13]Holiday Inns, Inc. v. Aetna Ins. Co., 571 F. Supp. 1460
[14]Pan Am World Airways v. Aetna Cas. & Sur. Co., 505 F.2d 989 (2d Cir. 1974)
[15]Tom Baker & Kyle D. Logue, Insurance Law and Policy: Cases and Materials 1012–15 (4th ed. 2017).
[16]Merck & Co. v. Ace Am. Ins. Co., 2023 WL 131963, at *6–8 (N.J. Super. Ct. App. Div. Jan. 10, 2023).
[17]See Restatement of the Law of Liability Insurance § 4 (Am. L. Inst. 2019).
[18]Merck, 2023 WL 131963, at *7.
[19]Mondelez Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-CH-12155 (Ill. Cir. Ct. Cook Cnty. filed Oct. 10, 2018).
[20]Jack Goldsmith, The Attribution Problem and Cyber Warfare, 42 Harv. J.L. & Pub. Pol’y 563, 570–73 (2019).
[21]Merck, 2023 WL 131963, at *8.
[22]Lloyd’s of London, Cyber War and Cyber Operation Exclusions (Market Bulletin Y5381, 2023).
[23]Kenneth S. Abraham, Catastrophic Risk and Insurance, 48 Conn. L. Rev. 1345, 1360–62 (2016).
[24]Terrorism Risk Insurance Act of 2002, 15 U.S.C. §§ 6701–6717.
[25]Merck, 2023 WL 131963, at *9.
