Hackers in the Cookie Jar: Insurance and Cyber War

In June 2017, a devastating malware strain dubbed NotPetya spread like wildfire, causing significant damage to global companies. The consequences of a NotPetya infection were severe: significant property damage to laptops and servers as well as massive disruptions in global supply chains. The potential losses reverberated throughout the insurance community, with companies like Merck, Maersk, Mondelez, and FedEx reporting significant financial losses. The questions we fielded from clients followed a familiar theme: Is cyber insurance going to actually pay a claim?

If you've heard about the Mondelez lawsuit against Zurich American Insurance Company, you probably think the answer is no. But as my colleague Lauri Floresca has pointed out in the past, cyber insurance is again getting a bad rap. The lesson here, as has been the case in the past, is that other insurance policies aren't paying cyber claims. But cyber policies are paying claims, and in fact have paid similar claims from the NotPetya attack as well as other purported nation-state attacks.

Mondelez v. Zurich American Insurance Company

Mondelez International, Inc., a snack food manufacturer of global brands such as Oreo cookies and Ritz crackers, was one of the companies infected by NotPetya. The original infection compromised two individual servers before spreading to more than 1,700 servers and 24,000 laptops, rendering them permanently defected. Mondelez also suffered business interruption in the form of "property damage, commercial supply and distribution disruptions, unfilled customer orders, reduced margins, and other covered losses well in excess of $100M," according to their complaint against Zurich American Insurance Company. Mondelez submitted the claim to Zurich under an all-risk property policy, and Zurich ultimately denied the claim citing the war and terrorism exclusion.

This is the first known denial of a cyber-related claim based on the war exclusion. The NotPetya attack was allegedly developed by the Russian military, and deployed through a compromised software update to a Ukrainian accounting software with the intent of destabilizing the Ukrainian government and economy. Many Western governments—including the United States, United Kingdom, and Denmark—have attributed the attack to Russian sources.

Many insurers will be watching the case closely, as Zurich bears the burden of proof to invoke the war exclusion, meaning they will be forced to prove attribution in a court of law. Given the proliferation of nation-state attacks, as well as the availability of nation-state caliber offensive hacking tools on the dark web, proving attribution has become increasingly complicated.

It also bears repeating that the insurance policy in question is a property policy, not a cyber policy. In fact, many companies affected by NotPetya were successful in claiming losses under cyber insurance policies. Similarly, losses from purported nation-state cyber attacks have been paid by cyber insurance policies in the past—notably the alleged North-Korean hack of Sony Pictures in 2014.

The Zurich denial of the Mondelez claim points to the dangers of looking for coverage of a cyber event under other types of insurance policies, in this case a property policy.  

Silent Cyber Risk

"Silent cyber" refers to the risk of cyber events causing losses on non-cyber insurance policies which have remained silent to the exposure—meaning the policies have not specifically addressed whether cyber is a covered peril or not. Insurance carriers have been undergoing cyber stress-tests, trying to quantify exactly how much silent cyber exposure exists across their portfolios.

Silent cyber risk, as it stands today, is going away. As insurance carriers come to understand how cyber risk impacts their portfolio, they have added terms to other types of insurance policies to manage cyber risk. These terms can take the form of outright exclusions, restrictive clarifications within the definitions section of a policy, or in some cases, acknowledging affirmative coverage but reducing the limit available for that coverage (commonly referred to as a sublimit).

For example, some property insurers have been touting their ability to cover cyber risk, but they are generally offering a small fraction of the limit as compared to the total policy limit.

Enterprise View of Cyber Risk

The primary lesson from the Mondelez v. Zurich case is that trying to find coverage for the consequences of a cyber incident on non-cyber policies is a gamble. And as silent cyber coverage disappears, it is increasingly important to work with a broker that understands how the fallout of a cyber incident impacts all of your insurance policies. At Woodruff Sawyer, we help our clients assess their enterprise view of cyber risk.

The reality is that while dedicated cyber insurance policies have continued to improve, other types of insurance are generally going in the other direction. The track record of cyber insurance paying claims has been clearly established, and this coverage has become an important part of any company's insurance portfolio.