Simon Shooter looks at a looming landmark case between between Mondelez International and Zurich American over losses incurred as a result of the 2017 NotPetya attacks and asks if this may change the face of cyber insurance for good.
It has been a while coming but the current spat between Mondelez International and Zurich American is a battle that has been waiting to kick off for a long time.
In short, Mondelez International, the company behind Oreos, Ritz Crackers and Toblerone, suffered losses as a result of the NotPetya attacks of 2017. Public statements by Mondelez International put the cost of that damage at over $100m. They were insured by Zurich American.
Mondelez International had insurance cover against “physical loss or damage to electronic data programs or software, including physical loss or damage caused by malicious introduction of machine code”. Cover also included non-physical loss and expense caused by failure of electronic processing equipment due to damage resulting from a cyberattack.
So, having taken the hit from NotPetya, one might reasonably expect Mondelez International to be feeling pretty happy that it had recourse to relevant insurance cover. You can imagine their unhappiness when, in response to their claim on the policy, Zurich American denied cover, pointing to an exclusion which provided that their insurance did not cover the consequences of an “act of war”. Mondelez International responded by issuing legal proceedings in October 2018.
Ahead lies a court battle that will be watched with extreme interest by insurers, insureds and, of course, both sides' lawyers. The precedent that the Illinois State Court could make will have significant repercussions in the cyber insurance marketplace. That is, of course, if the case runs to a judgment and is not settled first. My money is on a settlement: the precedent is one that could upset the applecart in the cyber insurance world with an anticipated howl of indignation from insureds who are likely to be outraged that their policies may not offer cover against a live and foreseeable cyber security risk.
The “act of war” exclusion for Zurich American depended on there being a hostile or warlike action taken by a sovereign government or power, military force or their agents. Zurich American will no doubt point to the public association of the NotPetya attack to Russia by the USA, UK and other states; but it will have to prove to the court that NotPetya was an act of war.
Act of War and Terrorism exclusions are common in many policies of insurance and they regularly featured in many of the early cyber risk policies. It would be a sensible precaution to check the terms of current policies to see if these standard exclusions have been incorporated. If they do, the follow on is to ask your broker/insurer whether you would be covered in a NotPetya style of attack.
If Mondelez International's case proceeds it will be a fascinating one. The nascent cyber-insurance industry has for the past few years assiduously sought to develop itself as a must-have coverage for corporates. These are the same corporates who have been lectured endlessly by governments - and all and sundry in the cyber security world - to wake up and take cyber-risk seriously. To date, while on the sales and charm offensive, the insurance companies have played nicely and have not pulled the pin on the ever-present grenade of war risk exemption. Now it has been pulled, the question is whether the insurance industry will seek to put it back in.