Cyberattack coverage dispute hinges on war exclusion argumentPosted On: Apr. 10, 2019 2:32 PM CST
WASHINGTON — An attempt by an insurer to invoke the war exclusion in a property insurance policy to deny coverage for damages caused by the NotPetya cyber attack should not become widespread practice in the cyber world, although risk managers should continue to monitor the potential, according to some experts.
Zurich American Insurance Co. invoked the “war exclusion” in relation to a policy purchased by Deerfield, Illinois-based snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017, leading to litigation called Mondelez Intl. Inc. v. Zurich Am. Ins. Co. filed in Illinois Circuit Court in Cook County, Illinois, in October 2018. The governments of the United States and United Kingdom blamed the attack on a Russian military attack on Ukraine that spread to computer systems worldwide.
On June 27, 2017, Mondelez experienced two separate malicious introductions of malware machine code or instruction into two of its servers at different physical locations and at different times, according to the complaint. The two malware introductions or occurrences spread from these two servers, stole credentials of numerous users, propagated across the Mondelez network, and rendered about 1,700 of the company’s servers and 24,000 of its laptops permanently dysfunctional. Mondelez incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins and other covered losses aggregating well in excess of $100 million as a result of the damage caused both to its hardware and operational software systems, according to complaint. But Zurich informed Mondelez that it was denying coverage under the policy based on a policy exclusion for “hostile or warlike action in time of peace or war” on June 1, 2018, prompting the litigation.
A Zurich spokeswoman declined to comment on the litigation.
“We could talk for a long time about this,” William Boeck, senior vice president, U.S. financial lines claims practice leader and global cyber wordings and claims leader for Lockton Cos. LLC in Kansas City, Missouri, said at the Incident Response Forum in Washington, D.C., on Wednesday. “I’ve spoken to a number of cyber insurers that all uniformly take the position that the war exclusion in a cyber policy isn’t going to apply … If a cyberattack happens and it’s in the context of something that looks an awful lot like an ongoing war, yes, they might apply it. But where the attack is in effect hitting an innocent bystander like Mondelez half a world away from the target of the supposed attack, they are not going to apply that. They are going to regard that as cyber terrorism. This is a huge topic of conversation in the cyber insurance world right now because a lot of companies are worried that cyber insurers are going to go down that road. At the risk of speaking for insurers, what I can tell you is what they’ve told me: They don’t intend to apply the exclusion in this context. But I don’t take that as the end of the discussion.”
Scott Godes, a Washington-based partner and co-chair of the data security and privacy practice of Barnes Thornburg LLP, said the war exclusion “doesn’t apply — that’s my opinion.”
“The reality is, if you think about an evidence-based argument, very seldom is there going to be sufficient evidence to actually prove the war exclusion,” said Sean Hoar, a partner in the Portland, Oregon, office and chair of the data privacy and cybersecurity practice of Lewis Brisbois Bisgaard & Smith LLP. “Oftentimes with malicious actors, especially malicious state actors, they’re sophisticated enough that everything is anonymized and you’re not going to see it.”
Incident response plans have become more sophisticated, but the vast majority still do not address the role that insurers are going to play in the incident response, Mr. Boeck said.
“Make sure your incident response plan takes note of the availability of insurance,” he said. “Beyond that, what are some of the things that insurers are going to expect when you have an event?”
For example, the incident response plan should involve the use of vendors “that an insurer would expect you to use and would provoke as few issues when the claim happens as possible,” Mr. Boeck said.
“In this day and age, good cyber hygiene is the price of admission,” he continued. “If your client is checking boxes and being reasonable about cyber preparedness, there’s a very good chance that we’ll find a very good deal for them in the cyber insurance world. If your company is lagging behind, I think it’s definitely possible to buy insurance, but it’s a lot tougher. Insurance underwriters in this day and age are increasingly sophisticated. Some of them are bringing in some very, very sophisticated people from the IT world to help them ask the right questions when a policy is purchased. If you’re not on your game, the insurers will see that right away. That doesn’t mean you don’t get insurance, but maybe you won’t get the scope of coverage that you’d like and you won’t get the price you might otherwise.”
A major challenge is the differences in the language in cyber forms that exist in the market, experts say.
Policies “are not standardized, and they’re changing pretty consistently,” Mr. Godes said.
“There is no standard cyber insurance policy out there,” Mr. Boeck said. “Everybody has their own form. There are over 40, maybe more, who are serious cyber underwriters. There are a lot more that I would categorize as dabbling in it. As far as the policy goes, anything off the shelf might not fit. It needs to be tailored to be good. Whatever product you choose has to fit your risk.”
Another major challenge are the gaps that exist between policies such as cyber, property and general liability and which may respond to incidents, Mr. Boeck said.
“That’s something I urge everyone to pay attention to because it will be messy,” he said.
The risk related to the potential harm of bodily injury in relation to cyber incidents is not being discussed enough, said Jennifer Beckage, an attorney and cybersecurity specialist with Buffalo, New York-based Beckage PLLC.
“Maybe we should have never called it cyber,” she said. “It gives this impression that it’s very narrow and only really contemplates one thing, and maybe that’s why some insureds aren’t purchasing enough.”
In one situation, a person experienced a heart attack during the response to an incident, Ms. Beckage said.
“This is really affecting people’s lives and their emotions,” she said. “The scope is so much broader than cyber.”
“Insurance policies and insurance companies are always a step behind latest development,” Mr. Godes said. “As the risks continue to develop, then the question becomes how do the policies respond in light of these new risks?”