The cyberattack dispute between global insurance powerhouse Zurich Insurance Group AG and U.S. food group Mondelez International Inc. could spark changes in policy wordings whoever wins, according to cyber coverage specialists.
It could also provide greater impetus for the insurance industry to tackle so-called silent cyberrisk, wherein insurers can be held liable for cyber claims under standard policies because the contracts say nothing about such risks they are covered.
Hostile or warlike
Mondelez, which owns brands such as Oreo, Cadbury and Nabisco, filed a $100 million lawsuit against Zurich American Insurance Co. in the Circuit Court of Cook County, Illinois, on Oct. 10, 2018, alleging that the insurer wrongfully denied a claim under a property insurance policy for losses incurred in 2017's NotPetya malware attack. Zurich American is based in Schaumburg, a suburb of Chicago, that like the Windy City, is in Cook County.
According to a November 2018 report by U.S. law firm Skadden Arps Slate Meagher & Flom LLP, Mondelez's complaint alleges that the attack rendered 1,700 of its servers and 24,000 of its laptops "permanently dysfunctional" and that the company suffered property damage and business disruption that cost it more than $100 million. It said the policy covers "physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction."
Zurich is relying on an exclusion in the policy for "hostile or warlike action."
NotPetya hit thousands of companies around the world. Loss data firm Property Claim Services estimated in November that the attack has cost insurers more than $3 billion, of which roughly 90% is silent cyber, according to a Nov. 7, 2018, report by Reinsurance News.
Seven countries, including the U.S. and U.K., blamed the attack on Russia. The White House described NotPetya as "part of the Kremlin's ongoing effort to destabilize Ukraine" in a February 2018 statement.
Most cyber insurance policies have exclusions similar to the warlike activity clause at the heart of the Mondelez case, potentially implying that should Zurich prevail, other insurers might try to avoid paying out for similar attacks under cyber policies. Cyber insurers typically try to stress that these exclusions are intended to exclude only cases of declared war and not cyber attacks, but policy language might nevertheless need to be clarified.
Zurich is likely invoking the war exclusion because the claim was being made on a property policy rather than a specific cyber policy, said Sarah Stephens, head of cyber at broker JLT Specialty. But she added, "If Zurich is successful in using this exclusion to deny coverage, then you'll have to see a widespread change in the way the cyber market writes these exclusions."
Graeme Newman, chief innovation officer at specialist cyber and technology underwriting agency CFC Underwriting, said: "We're already starting to see war exclusions being clarified in the cyber market, primarily by referring to 'kinetic war,' just like we saw terrorism exclusions be updated a few years ago to ensure that we weren't excluding cyber terrorism."
Newman agreed with Stephens' assertion that Zurich is using the clause because Mondelez is claiming against a property policy.
"I think this comes down to the fact that cyber insurers fully intend to pay this kind of loss, whereas property insurers do not, rather than the exact words within the war exclusion," he said, adding that a number of NotPetya claims have already been settled under stand-alone cyber policies, which he noted "address exactly the issue that Mondelez faced."
A silent solution?
Although several nations declared NotPetya an act of aggression by the Russian military, it remains unclear whether Zurich's use of the "hostile or warlike action" exclusion will prevail in court. Stephens described the move as "pretty unprecedented" and a "bold sort of thing for Zurich to have done in this particular case," and Newman said he thought that the exclusion would be "nigh-on impossible to really apply" because of the need for "conclusive proof" that a country had perpetrated the attack maliciously.
A Zurich victory would confirm the viability of the war exclusion to avoid cyber risk in property policies and push policyholders toward standalone cyber policies, Newman added. But he said that even if Zurich loses, policies will need to change, and the situation is also likely to push the industry to tackle the silent cyberrisk problem.
A Mondelez victory "will almost force major property insurers to put clear exclusions into the property policy, because property insurers simply cannot afford to take on this level of risk," he said.
And even if the case is settled out of court and there is no further legal clarity, "you will probably want to have people sitting down and actually thinking about clarifying the way in which this exclusion is intended to apply," said David Pryce, a partner specializing in acting for policyholders in insurance disputes at London-based Fenchurch Law.
Zurich Insurance and Zurich America both declined to comment. Mondelez was contacted for comment but had not responded at the time of publication.