Recent Lawsuit Highlights Need for Careful Review of Cyberinsurance Policies

James S. Carter and Amy J. Spencer

The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”

The lawsuit is Mondelez International, Inv. v. Zurich American Insurance Company. Filed late last year in Illinois state court, the policyholder, a snack food and beverage maker, alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of [the policyholder’s] servers and 24,000 laptops.” According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000. Continue reading “Recent Lawsuit Highlights Need for Careful Review of Cyberinsurance Policies”