An open question in the cyber insurance market is whether a cyber-attack can be construed as an act of war and, if so, what implications this has for both insurers and businesses wanting to insure against losses caused by cyber-attacks.

There have been two key examples relating to the way that insurers treat cyber-attacks: the first is the 2018 cyber attack on the Marriott hotel group, which resulted in up to 500 million guests' data being accessed and a large insurance payout; and the second is snack company Mondelēz's losses caused by a global cyber attack and resulting in Mondelēz suing their insurers in the US for refusing to reimburse Mondelēz's losses.

Background

The Marriott hotel group announced in November 2018 that they had been subject to a cyber-attack. The group's databases had been being hacked, with millions of guests records improperly accessed by the perpetrator. [1] The group held insurance that covered cyber breaches and privacy liabilities and has since received over $100 million towards the expenses that arose out of the incident. [2]

This is a far cry from the position that Mondelēz International find themselves in. The global food brand was significantly affected by the NotPetya cyber-attack in 2017. The business' laptops and emails froze and their logistics software crashed. [3] Following weeks of remedial action, Mondelēz recovered their systems. After suffering losses in excess of $100 million as a result of NotPetya, Mondelēz turned to their insurers, Zurich, only to find that Zurich is relying on a 'war' exclusion clause in their policy to avoid reimbursing the losses.

Act of 'war'?

Both the cyber-attacks suffered by Marriott and Mondelēz were likely started by state-backed attackers. The Marriott data breach has been widely reported as the responsibility of Chinese state-backed hackers [4] but the cyber insurance policy Marriott held has reimbursed the hotel group for a large portion of their losses. Conversely, the NotPetya attack originated in Russia and has been tied to Russia's conflict with the Ukraine. It is this state link that Zurich has used to rely on the 'war' exclusion in its policy wording.

Zurich claim it is not liable to reimburse for " loss or damage directly or indirectly caused by or resulting from … hostile or warlike action … by any government or sovereign power … or agent or authority [thereof] .” Mondelēz are now in the process of suing Zurich in the Illinois court. The court must now decide whether cyber-attacks are an act of war, a decision which, although immediately landing in the US, may set a direction of travel in the global cyber insurance market.

Cyber insurance products

Marriott had specifically purchased a cyber insurance product, whereas Mondelēz are claiming its losses fall under an all-risk property insurance product. There are divisions in the insurance market for different products, and there are specific insurance markets for cyber activities, for war and for criminal activity. It could therefore be argued that if Mondelēz had wanted to ensure they were covered for the type of losses caused by NotPetya, they should have taken out a specific cyber policy.

The US case of Mondelēz v Zurich is understandably being watched with interest around the world as, should insurers be able to successfully rely on the 'war' exclusion, businesses could be left exposed to risks if they come under a cyber-attack stemming from a government or state (or an agent or third party acting on behalf of a government or state). Not only would this undermine the cyber insurance market globally, it also raises the issue of cover being dependent on who a business is hacked by. Opposing results could be had from a cyber-attack by opportunistic criminals as opposed to state-controlled hackers, even though the virus and subsequent losses could be identical. There may be interesting questions as to whether, and if so how, insurers will be able to prove the origin of the attack to the satisfaction of the court. But none of this would be helpful to businesses purchasing insurance products who require certainty that, should they be targeted, their losses are covered and not find that they are the victims of collateral damage in an invisible cyber-war. Such uncertainty would also be unhelpful to insurers who want their potential customers to have confidence about the protection they are buying.

For insurers, insureds and brokers alike, careful thought should be given to act of war exclusions in the context of cyber attacks, both in specialist cyber policies and when covering other risks.