The cyber-insurance world is discussing the ins-and-outs of litigation going on between food manufacturing giant Mondelez International and Zurich over coverage for the ten billion dollar NotPetya cyber attack that crippled several multi-national companies. Zurich has apparently invoked what is colloquially known as the "act of war" exclusion to deny coverage to Mondelez under a property policy with cyber elements.
There are may intriguing legal issues presented in the case. But what has been catnip for the insurance-law-geek community may turn out to be biggest self-own for the insurance industry since State Farm's fraudulent handling of Hurricane Katrina claims.
Zurich's ludicrous position in the Mondelez litigation—that because the State Department and other officials pinned the NotPetya cyber-attack on Russia, the attack was an act of war by a nation-state, and therefore excluded—has become an instant sound bite for cyber-coverage skeptics, particularly those with an interest in selling security software or services that prevent attacks in the first place.
I recently attended a presentation by a security vendor, who when asked about her experience working with cyber-insurers after a breach dismissed the whole idea of cyber-insurance as a "crutch" that wasn't worth the paper it was printed on, trotting out the Mondelez litigation as evidence that cyber-insurance couldn't be relied on. This vendor's mantra: invest in prevention, and breach response preparation, but don't waste your money on cyber insurance.
We are firm believers, of course, in prevention and preparation. Every company should invest in data security because, as they say, it's not a matter of "if." But prevention and insurance go hand-in-hand. Indeed, taking many of the steps that the security vendors recommend is a requirement to get the better rates with almost every cyber-insurer, according to our friends in the underwriting community. And we recognize that insurers, including cyber insurers, will sometimes resist paying meritorious claims, or nickel-and-dime the insured on coverage. If they didn't, we'd be out of business.
But it is a truth of business life that mistakes happen. Most companies have accepted that insurance for these mistakes is a routine and necessary part of risk management, and they buy insurance because claims (most claims, anyway) will get paid. It's too bad that the cyber-insurance naysayers now can point to Zurich's denial in the Mondelez litigation to argue that cyber risk isn't part of that normal risk-management model.
What is particularly frustrating here is that it's hard to see how Zurich can succeed in the litigation, which is in Illinois state court. In court filings, Mondelez said its policy had been updated in 2016 to include losses (physical and non-physical) caused by “the malicious introduction of a machine code or instruction.” Zurich is relying on an exclusion from coverage for “hostile or warlike action” by a “sovereign government or power, military force or their agents.” But under Illinois law—like the law in Oregon, Washington, California, and almost every other state—the court will interpret the exclusion narrowly, and Zurich will bear the burden of proof that the exclusion applies. That means that Zurich must go beyond the accusations reported in the media and offer actual proof that Russia was behind the attack. The standard of proof in court is likely to be higher than what the State Department relied on to point the finger. Zurich may also run into problems if the government tries to block access to evidence on national security grounds.
The problem is that by so publicly taking the position that the "act of war" exclusion does apply, Zurich appears to be putting the business community on notice that many breach claims will not be covered. In our experience many attacks are blamed on state actors. At a recent internal presentation, the CISO of an AmLaw 100 law firm estimated that 85% of the most sophisticated attacks—phishing attacks that managed to trick at least one of their highly-trained, sophisticated employees—came from a hacker group with a connection to a foreign government (chiefly Russia, China, or North Korea). If the act of war exclusion can be invoked merely because of an essentially unproven accusation by a government agency, then businesses should rightly be concerned about whether their coverage is worth anything.
Hopefully Mondelez will defeat Zurich's denial, or the case will be settled indicating that Zurich agreed that it had some chance of losing that fight. But it may be that the damage has been done to continued growth in adoption of cyber insurance among businesses that have been on the fence about the coverage.
In the meantime, companies that have the ability to negotiate the terms of their cyber-insurance policies should be looking carefully at the "act of war" exclusionary language and demanding changes. For example, insurers may be willing to narrow the exclusion so that it only applies in the event of "declared hostilities" or if the policyholder was the intended target of the attack.