NotPetya: A War-Like Exclusion?
In 2017, companies worldwide, from Ukrainian banks to Danish shipping conglomerate Maersk to US companies Merck and Mondelēz, were crippled by a malware attack targeting every existing version of Windows operating systems.
This malware attack, later named NotPetya in order to differentiate it from the Petya attack in 2016, disrupted supply chains and business operations across the globe and caused in aggregate more than $10 billion USD in damages. For comparison, the ransomware that paralyzed Atlanta in 2018 caused $10 million USD in damages, and Petya itself, of which NotPetya was originally believed to be a variant, was estimated to have cost between $4 and $8 billion USD. In the aftermath of NotPetya, the affected companies suffered enormous losses: Maersk lost between $250 and $300 million, Mondelēz $188 million, and Merck a staggering $870 million.
Though Mondelēz suffered nearly $200 million in damages, the property policy it had secured with Zurich American Insurance Company was robust. The policy covered not only “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction,” but also “nonphysical losses and expenses caused by the failure of ‘electronic data processing equipment or media to operate’ due to malicious cyber damage.” Mondelēz filed a claim with Zurich a month later in July 2017.
Less than a year later, the US and the UK, among others, found that the Russian military was responsible for the devastating attack, alleging that NotPetya was originally intended to cripple Ukraine, but quickly spread beyond Ukraine’s borders. Shortly after, Zurich denied the claim, citing the war exclusion. The war exclusion, as given in the policy, barred coverage for “hostile or warlike action…by any…government or sovereign power…military, naval or air force.” And, the US and the UK, as well as Canada and Australia, had all just identified Russia as the actor behind NotPetya, a cyberattack that could well be construed as “hostile or warlike.”
Mondelēz promptly sued Zurich in October 2018 in Illinois state court for breach of contract (Merck has also entered into litigation with “dozens” of its insurers in New Jersey court). The case represents what could be the first big fight over the extent of cyber coverage, even if the cyber coverage in question is embedded in a property policy.
One particular case may offer insight into how Zurich may make its case to invoke the war exclusion. In Pan Am v. Aetna in 1973, the NY Southern District Court established a three-pronged test for whether the war exclusion could be legitimately applied, which has been generally adhered to in litigation that has since taken place. Following that decision, Zurich will have to prove the NotPetya attack was:
- a hostile act
- part of a course of hostility, and
- committed by actors with significant attributes of sovereignty.
However, it is not particularly clear where the courts will land on this issue. Consider, for example, when insurers denied life insurance payouts for deaths in the Pearl Harbor attack by citing the war exclusion. In New York life Ins. Co. v. Bennion, the Tenth Circuit ruled that such an exclusion was justified because the Pearl Harbor attack was sufficiently similar to war, even if there had been no official declaration of war by Congress. And in Stankus v. New York Life Ins. Co., the Supreme Court of Massachusetts also decided that the war exclusion applied “in general to every situation that ordinary people would commonly regard as war.”
On the other hand, in Pang v. Sun Life Assurance Co. of Canada, the court acknowledged that Pearl Harbor could be considered an act of war, but differentiated it from a “state of war.” Because the US had not been in a “state of war” with Japan at the time the Pearl Harbor attack occurred (namely because the US still maintained diplomatic relations with Japan before the attack, and had not declared war), the war exclusion could not be applied. Similarly, in Rosenau v. Idaho Mutual Benefit Association the Supreme Court of Idaho held that though Pearl Harbor was a hostile attack that precipitated a declaration of war, it could have hypothetically (however improbably) not resulted in war, and therefore the war exclusion could not be applied.
However, when it comes to cyber and more specifically, how the courts will ultimately rule on NotPetya, there is less precedence to take into consideration. That being said, where the courts land on this issue will have far-reaching implications for future cyber-related cases.