A coverage dispute between Zurich Insurance and Mondelez International, following 2017’s NotPetya, is likely to prove to be an important test for the application of war exclusions by property insurers for incidents of suspected cyber warfare. The move also gives further credence to the need for affirmative cyber cover.
On 10 October 2018, food manufacturer Mondelez filed a lawsuit in Cook County Circuit Court of Illinois against Zurich North America after the insurer denied a claim made under the company’s all-risk property insurance policy. Mondelez, which owns the Cadbury, Toblerone and Oreo food brands, says the incident damaged some 1,700 servers and 24,000 laptops, halting production and disrupting sales.
According to the court filing, Mondelez says it suffered “property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins and other covered losses aggregating well in excess of USD 100 million”.
The complaint says the property insurance policy underwritten by Zurich covers “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction”. The policy also extends cover to include business interruption and additional expenses “resulting from the failure of the insured’s electronic data processing equipment or media to operate resulting from malicious cyber damage”.
Initially, Zurich offered a USD 10 million interim payment. However, it is said to have later withdrawn the offer after it reclassified the NotPetya attack from a criminal act to an act of war.
Zurich then denied cover under the property policy in June 2018, evoking an exclusion in the policy covering any “hostile or warlike action in time of peace or war” carried out by a government, military force or a government “agent or authority”. In the case of NotPetya, the UK, US, Canada and Australia have all blamed Russia for the attack, although Russia has denied any involvement.
Zurich now has to prove in court that the exclusion applies. However, the attribution of cyber-attacks can be highly problematic.
The dispute between Zurich and Mondelez raises important questions for both buyers and insurers, about how they can approach the problem of cyber conflict.
Recent years have witnessed an apparent rise in the threat posed by nation states. For example, cyber security experts suspect Chinese state hackers were behind the recent cyber attack at Marriott Hotel group, which compromised the data of some 500 million customers. Nation states are thought to be behind numerous cyber attacks aimed at obtaining trade secrets, personal data or funds, as well as intending to cause physical damage and disruption.
War and terrorism exclusions are standard in both property and cyber policies, although wordings in specialist cyber policies are drafted with cyber loss events in mind. For example, war clauses in a property policy are intended to exclude physical damage from conventional acts of war, and not business interruption from a cyber-attack.
The effectiveness of war and terrorism exclusions in the context of cyber attacks is untested. In its filing, Mondelez says the application of a war exclusion to deny coverage for a malicious cyber incident – or for anything other than a conventional armed conflict or hostility - as determining culpability for a cyber attack is fraught with difficulty.
Lines between nation states, hackers, cyber criminals and terrorist groups are blurred. The tools and exploits developed by nation states can also trickle down to hackers – WannaCry, for example, was based on the Eternal Blue exploit developed by the US National Security Agency, and leaked by the Shadow Brokers hacker group.
Even where a cyber attack can be traced back to a nation state (the US blames WannaCry on North Korea), establishing whether an incident was an act of war or something else - such as espionage or state sponsored theft - is another story.
The Mondelez dispute also highlights diverging views on cyber risk between the property and cyber insurance markets. The latter has shown no sign of evoking war and terrorism exclusions for malicious cyber incidents – in fact the market has paid out on a number of NotPetya claims, sometimes up to full policy limits.
However, the property insurance market, which in all likelihood never intended to cover losses from events like NotPetya, has been more circumspect.
Malware attacks like NotPetya and coverage disputes like the one between Mondelez and Zurich reinforce the need to purchase standalone cyber insurance with appropriate limits.
Mondelez was not the only company to suffer losses from the NotPetya attack. Shipping group Maersk, logistics company FedEx, US pharma group Merck, French construction materials company Saint-Gobain and UK based consumer goods group Reckitt
Benckiser all disclosed losses as a result of the attack. Maersk and FedEx reported losses of around USD 300 million each.
Claims analytics firm PCS says insurers face claims amounting to USD 3.3 billion for the NotPetya attack, but 90% are for non-affirmative cover. Merck, for example, is looking to claim USD 2 billion from its insurers, of which USD 250 million has been paid by the firm’s affirmative cyber insurance policy. The remaining USD 1.75 billion is being claimed under non-affirmative cover.
The NotPetya attack helped bring non-affirmative, or ‘silent cyber’ cover, into sharp focus. However, property/casualty insurers are also under pressure from regulators to clarify cyber cover under traditional policies. The UK’s Prudential Regulatory Authority issued a supervisory statement in July 2017 calling for UK insurers to take steps to identify, quantify and manage cyber insurance underwriting risk. A number of international insurers, including Allianz and AIG, are also moving towards affirmative cover in their commercial property/casualty offerings.
The dispute between Mondelez and Zurich could set an important precedent, assuming it is not settled out of court. Should Zurich be able to prove that war exclusions are effective in denying claims arising from a state sponsored cyber attack, it would most likely trigger changes to policy wordings and coverage.
The view taken by the reinsurance market could have implications for primary cover. While cyber underwriters would understand the need to provide cover for alleged state sponsored cyber incidents attacks like NotPetya, in the absence of reinsurance support, underwriters may need to apply sub-limits. One solution would be a reinsurance pool for cyber war losses, much like facilities that already exist for terrorism cover in the property market. In the UK, Pool Re recently extended its cover to include cyber property damage resulting from a terrorist attack.
CYBER WAR COVERAGE CHECKLIST
Buyers should consider the following:
Whether cyber cover under a property policy is affirmative
The scope of war exclusions and terrorism wordings
Coverage for replacement of hardware damaged by a cyber incident
Buying bricking cover for hardware damaged beyond repair
Download Cyber Decoder
For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486