James S. Carter and Amy J. Spencer
The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”
The lawsuit is Mondelez International, Inv. v. Zurich American Insurance Company. Filed late last year in Illinois state court, the policyholder, a snack food and beverage maker, alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of [the policyholder’s] servers and 24,000 laptops.” According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000.
The policyholder sought coverage under its property insurance policy, which expressly covered property damage and business interruption losses due to a cyber event. The insurer, however, denied coverage, citing an exclusion “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power . . . (ii) military, navel, or air force; or (iii) agent or authority of any party specified in i or ii above.”
Although the complaint does not specify, the insurer appears to have invoked the exclusion based on reports attributing the “NotPetya” virus to attempts by Russia to destabilize the Ukraine.
According to the complaint, after initially denying coverage, the insurer withdrew its denial in an effort to dissuade the policyholder from filing suit and to engage the policyholder in discussions concerning the adjustment and payment of the claim. After it became apparent to the insurer that the policyholder planned to file suit, the complaint alleges that the insurer re-asserted its denial of coverage based on the exclusion, as well as other defenses to coverage.
The Mondelez suit is causing quite a stir in cyberinsurance circles. Although the policy in Mondelez is a property policy, some say that the suit exposes how war exclusions in cyberinsurance policies can threaten coverage for cyberattacks that can be traced back to the activities of state-sponsored actors.
The outcome of the Mondelez suit remains to be seen. But policyholders can take comfort in the fact that, in most jurisdictions, insurers have the burden to prove that an insurance policy exclusion bars coverage. The war exclusion in particular raises daunting legal and factual challenges for insurers. See, e.g., Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989 (2d Cir. 1974) (war exclusion did not apply to airline’s loss from hijacking by Palestinian terrorist group because the proximate cause of the loss was hijacking, not military conflict); Airlift Int’l, Inc. v. United States, 335 F. Supp. 442 (S.D. Fla. 1971) (exclusion inapplicable to loss from mid-air collision during Vietnam War where neither aircraft was engaging in an operation of war at the time of collision, and even if they were, loss resulted from a “peril of the air,” not a war peril).
The challenges for an insurer relying on the war exclusion are especially difficult in the cyber context. How do you prove the identity of the actor behind an anonymous cyberattack? Even if attribution can be proven, does the exclusion apply after a virus starts randomly spreading beyond its intended target through cyberspace? Such questions may explain why the insurer in Mondelez revised its coverage denial to assert additional coverage defenses. At the end of the day, the Mondelez case may not turn on the war exclusion at all.
Nonetheless, no policyholder reeling from a cyberattack wants to find itself debating the niceties of the war exclusion with its cyber insurer, however unlikely it might be that a court would agree with the insurer. Policyholders should review the war exclusion in their cyberinsurance policies and consider asking their insurers to clarify its scope in light of the Mondelez case. In some cyberinsurance policies, the war exclusion contains an exception or other wording that preserves coverage for cyberattacks. But in other cyberinsurance policies, the exclusion lacks such a limitation.
In addition to the war exclusion, policyholders should review other provisions in their cyberinsurance policies. The war exclusion in Mondelez illustrates a larger concern: any given cyberinsurance policy may contain broadly or unusually worded provisions that, depending on the situation, a cyber insurer can cite to deny or limit coverage for a cyber claim. In one of the very first cases involving a dedicated cyberinsurance policy, the policyholder was undoubtedly surprised when its cyber insurer denied coverage for a data breach based on a broadly-worded contractual liability exclusion. See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016).
Cyber events can cause massive losses and even interfere with very ability of a company or other organization to carry out its day-to-day operations. Thankfully cyberinsurance can help policyholders rebound from even the worst cyber events. But, as the Mondelez case demonstrates, cyberinsurance policies may contain exclusions and other limitations that can unexpectedly jeopardize coverage. Policyholders must be vigilant when it comes to selecting and reviewing their cyberinsurance policies.