Sovereign nation states have been behind (or suspected of being behind) some of the worst cyberattacks. When a cyberattack has state involvement, the inevitable question is whether it constitutes an act of war. The answer can have a profound impact on insurance coverage because virtually every insurance policy has a war exclusion. In a case of first impression, a New Jersey trial court recently addressed whether a war exclusion applied to losses arising from the NotPetya cyberattack in 2017.
The United States and several other countries contended that Russia was responsible for launching the NotPetya attack to destabilize Ukraine. NotPetya quickly spread beyond its intended targets in Ukraine, causing collateral damage to millions of computers worldwide. Among the many impacted organizations was the pharmaceutical company, Merck & Co. Inc., which suffered damage to 40,000 of its computers, costing it more than $1.4 billion.
The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”
The lawsuit is Mondelez International, Inv. v. Zurich American Insurance Company. Filed late last year in Illinois state court, the policyholder, a snack food and beverage maker, alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of [the policyholder’s] servers and 24,000 laptops.” According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000. Continue reading “Recent Lawsuit Highlights Need for Careful Review of Cyberinsurance Policies”