After the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack in June 2017, around 1,700 of its servers and 24,000 of the company’s laptops were suddenly permanently unusable, not to mention other fallout, such as commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders, leading to losses that totalled more than US$100 million.
Unfortunately, Zurich, which sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that coverage would be denied under the policy based on the war exclusion clause. This clause excludes loss or damage directly or indirectly caused by or resulting from a hostile or warlike action in times of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any government or sovereign power (de jure or de facto); military, naval or air force; or agent or authority of any party specified earlier.
In an insurance coverage action, Mondelez reported that it was seeking relief for Zurich's breaches of its contractual obligations under an all-risk property insurance policy, as well as Zurich's failure to honour promises and bad faith conduct.
“While the policy at issue is a property policy, the reason why this case is getting so much attention by the cyber insurance community is because the insurance company has denied coverage based on the war exclusion,” said James Carter (pictured), Of Counsel in Blank Rome’s policyholder-only insurance recovery practice, adding that a war exclusion appears in virtually every cyber insurance policy. “We don’t know specifically from the complaint the insurer’s rationale for raising the exclusion, but the NotPetya attack reportedly originated with Russia in its effort to destabilise the Ukraine. Because the virus had its origin in the activities of a sovereign state, that appears to be the reason why the insurance company is invoking the exclusion.”
The war exclusion is one of the more complicated ones for an insurance company to prove, particularly because it’s difficult to establish to the satisfaction of the court that in fact, a state or a state-linked actor was behind an anonymous cyberattack. If the exclusion applies in this case, it could potentially create a “massive hole in cyber policies that are being marketed to address precisely this type of risk,” explained Carter.
“From my perspective as an attorney who represents policyholders, the war exclusion in the Mondelez case reflects a broader concern about cyber insurance policies. The cyber policies are not standardised and while there are similarities from one policy to the next, there’s a great variety of wording on the market,” he told Insurance Business. “If you’re comparing policies, you often find differences that make you scratch your head – they contain broadly worded provisions, exclusions, and limitations, or complicated provisions that could lay the groundwork for coverage disputes.”
In light of the action, and today’s complex cyber risk landscape, insurance professionals need to be that much more diligent about the cyber policies that they’re selling to clients.
“It’s really important for insurance advisers to understand their clients’ risks, and then go to the market and find the best available coverage for them. It’s always a good idea to come back with several examples of policies so that the policyholder can compare [them] and work with their adviser to select the best policy for them,” recommended Carter.
“Beyond that, it’s also helpful for advisers to make sure that the policyholder understands how these policies work. They’re incredibly complex and policyholders sometimes think that they provide catch-all coverage, so to speak, when in fact their cyber policies are really collections of a variety of coverages, sometimes with their own terms, conditions, and limitations, so it’s important for advisers to help their policyholders understand cyber insurance and how it works.”