The noise surrounding silent cyber reached a crescendo in 2018 when a $100 million claim on an all-risks property insurance policy with cyber-risk protections sold by Zurich Insurance to snack maker Mondelez was denied by the carrier.
Mondelez based its claim on the policy wording—coverage for “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” Zurich denied the claim based on the policy’s coverage exclusion for acts of war or terrorism.
The backdrop to the startling decision—the first time the war exclusion has been used in denying a cyber insurance claim—is the insurer’s assertion that the NotPetya cyber attack was perpetrated as an act of war by Russia. This argument is based on the U.S. government’s assignment of responsibility for the cyber attack to Russian hackers attacking the Ukrainian government. Following the claim denial, Mondelez sued Zurich for breach of contract in what is now a closely watched case with far-reaching implications.
The historic cyber claim denial suggests growing concern among insurers about the potential financial severity of the cyber risks they’ve assumed on their balance sheets. Zurich may be setting the stage for other carriers to redefine what is and isn’t covered in all-risks policies affirming coverage for cyber losses—to the possible detriment of the stand-alone cyber insurance market. “If the cyber market doesn’t cover events like NotPetya,” says one executive at a large insurance brokerage, speaking on condition of anonymity, “what’s the point?”
Other industry participants share this opinion. “Since many, if not most, major cyber attacks are perpetrated by nation-states and terrorist organizations, companies and current insureds may question the value of buying cyber insurance if acts of war or terrorism negate the coverage,” explains Mark Synnott, executive vice president and global head of Willis Re’s cyber practice.
Whether the exclusion will prevail in the courtroom is open to interpretation. For one thing, the court will need to determine if cyber war is actual war. As Leader’s Edge pointed out two years ago, a real war requires a formal declaration. “Until an event is analyzed and declared an act of war, it isn’t an act of war,” Lani Kass, a former senior policy advisor to the chairman of the Joint Chiefs of Staff, said in the article.
Zurich may argue in court that NotPetya was related to Russia’s military intervention into Ukraine, which was reported by the media in war-like language. However, neither country issued a formal declaration of war, although Ukraine threatened several times to do so. Without an actual war, the terrorism exclusion may become the basis for Zurich’s claim denial, although the insurer would need to prove that Russian hackers were members of a terrorist organization. Generally, an act of terrorism also has to be declared for the exclusion to apply, Kass stressed. “The key is the declaration,” she said.
Further clouding the picture is that many countries routinely engage in acts of cyber espionage. For example, the United States has used its own cyber weapons to sabotage North Korea’s frequent missile tests. If cyber espionage is the way of the world and courts interpret the NotPetya attack to be an act of war, is much of the world at war?
Not only must Zurich prove the war or terrorism connection, it also must demonstrate that Russian operatives were the originators of the virus. “Zurich has to prove attribution, and if you talk to anybody in cyber security, they’ll tell you attribution is tough,” says Daniel Burke, national cyber practice leader at Woodruff-Sawyer. “They have to prove the virus was Russian code and that the Russian government was behind the code in an affirmative way.”
The decision on Mondelez’s breach-of-contract lawsuit is now in the hands of an Illinois court. “My hope is that the court won’t go this way or that other cyber insurers follow Zurich’s lead on this,” Burke says. “It would diminish some of the value of cyber insurance, negating a lot of what the industry has been selling.”