By Jeffrey A. Franklin, Prince Law Offices P.C.
Cyber insurance policies are now standard procedure for companies seeking to shift some risk in case of malware attacks and cyber hacks. In a test of the developing cyber insurance industry, Zurich America Insurance Company is reportedly refusing to pay out a $100 million claim from consumer packaged good company Mondelez, which was a victim of the NotPetya ransomware attack in June 2017. Zurich says that the NotPetya ransomware attack was an act of “cyber war” and is therefore not covered by the policy. Mondelez Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, complaint filed, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., Oct. 10, 2018).
The NotPetya attack impacted businesses worldwide, reportedly including Ukrainian banks, energy companies, airports and shipping giant Maersk.
What the Cyber Insurance Policy Covers
According to Mondelez, its cyber insurance policy with Zurich covered “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” NotPetya would seem to fit the definition included in the policy.
Zurich Uses “Act of War” Clause to Avoid Paying Claim
Zurich is invoking a “cyber war” clause claiming NotPetya was “a hostile or warlike action in time of peace or war.” Zurich argues that the cyber-attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. That is what Zurich alleges constitutes “cyber war.” To support its case, Zurich cites official statements of national security officials from the UK, Canada and Australia blaming Russia for the February 2018 cyber attack. These and other Western governments including the United States also noted that the first NotPetya attack occurred in Ukraine before spreading around the world. Russia has denied involvement.
Implications for Cyber Insurance
The burden of proof should fall on the insurance company to prove that NotPetya was an act of cyber war. That will be a heavy burden. The intelligence agencies are not likely to furnish proof of an attack despite their blaming Russia in this instance for the attacks. Regardless of this heavy burden, many worry that other insurance companies will claim that other cyber attacks or data breaches are due to an “act of cyber war” and reject their claims as well, leading many to wonder just how reliable a partner the cyber insurance industry will be when it is needed the most by its paying customers.
From the insurance industry perspective, the costs of cyber attacks are skyrocketing. According to experts, the NotPetya cleanup alone totaled close to $80 billion. It wasn’t just Mondelez; it was shipping giant Maersk with losses close to $300 million, with FedEx also having close to $300 million in losses from NotPetya.
Things to Consider
When considering the value of your cyber insurance policy, review the terms of the policy carefully, but also consider the company issuing it and whether the company will stand behind the policy and provide the risk mitigation your business planned for when it needs it the most.
Jeffrey A. Franklin heads the Cyber Law group at Prince Law Offices P.C. He is also the president and Technology Committee Chair of the Berks County Bar Association and principal technology consultant with BrightLine Tech Solutions LLC.