The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of the risk of Russian cyber-attacks spilling over onto United States networks as part of the Russian invasion of Ukraine. This follows previous CISA warnings on the risks posed by Russian cyber-attacks for critical infrastructure. The European Central Bank (ECB) has similarly warned European financial institutions of the risk of Russian cyber-attacks and related market disruptions.

The risk of cyber-attacks forces businesses and insurers to examine their policies to determine the coverages that may apply to losses caused by a cyber-attack. The current elevated risk draws into focus the recent decision in Merck and International Indemnity v. ACE (et al.), in which the Superior Court of New Jersey examined coverage under an All-Risk for loss arising from the NotPetya malware, which was allegedly used by Russia in a cyber-attack on Ukraine and spilled over into the rest of the world. The Merck court found that the “Hostile/Warlike action” exclusion contained in the subject policy was inapplicable and could not be used to exclude coverage for the loss.