Insurance coverage disputes typically aren’t front-page news events, but two recent case filings have made headlines in legal, insurance and even mainstream news outlets. The cases attracting all the attention involve claims by corporate giants Mondelez International and Merck for losses each company sustained as a result of being infected with NotPetya, an encrypting ransomware.
The ecosystem and NotPetya background
The networked world is increasingly prone to data loss and theft. The Verizon “2019 Data Breach Investigations Report” describes a digital world in which hacking, social engineering and ransomware increasingly target the public and private sectors for financial gain and IP theft or espionage. The report attributes 23% of breaches — as opposed to security incidents — to “actors identified as nation-state or state-affiliated.” These state-sponsored attacks typically range from theft or espionage to financial gain; however, some attacks appear to have been driven by grudge or by swatting a neighbor.
NotPetya is a ransomware attack first seen in Ukraine in June 2017. Within hours, the malware spread beyond the initial targets in Ukraine to Merck, Maersk, FedEx and many others. Once in those networks, it reportedly spread rapidly from European computers and servers to those in the U.S. and even Australia.
Ultimately, many firms were “collateral damage” from the NotPetya attack. Entire networks had to be shut down to prevent further spread of the malware. It may well have taken days to segregate, inspect, cleanse and restart priority systems, then weeks before less critical applications and communications of affected firms were functioning.
Insurance – whether a cyber product or otherwise – is something that we usually purchase to hedge the risk of a hopefully unlikely event with significant operational or financial impact. Mondelez and Merck contend that this is not proceeding according to plan.
According to Mondelez’s complaint against Zurich American Insurance Company, its insurance policy provides coverage for “all risks of physical loss or damage” to Mondelez property, including instances of “physical loss or damage to electronic data, programs, or software … caused by the malicious introduction of a machine code or instruction.” Under its policy, Mondelez said it incurred insured losses well in excess of $100 million. Mondelez alleged that Zurich denied coverage based on a policy exclusion “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”
In its complaint against more than 20 insurers, Merck alleged that it experienced a “network interruption event … resulting from a malware infection, which involved the destruction, distortion or corruption of its computer data, coding, program or software resulting from malware presented as ransomware.” The event allegedly “led to extensive disruption of Merck’s worldwide operations” and adversely affected Merck’s sales. Merck claims that its losses “exceed the deductibles or attachment points” of all the insurance policies at issue and that the defendants reserved the right to deny coverage based on their policies’ war exclusions.
The insurance policies
The policies at issue with both Mondelez and Merck are property policies. The claims involve cyber events, but the policies are not privacy or network security insurance policies. In fact, Merck notes in its complaint that it has received payment for its NotPetya claim under its cyberinsurance policies, saying that its cyberinsurers “have been making payments to Merck or otherwise have not contested their coverage obligations.” That is consistent with recent statements by a leading cyberinsurance broker that cyberinsurers have not denied claims based on a war exclusion.
The sky is not falling
Initial reports of these insurance disputes led to concerns that cyber incidents involving state actors would not be covered in vast numbers under cyber policies, which often contain a war exclusion because of the extensive role of state actors. For example, Ariel Levite, a senior fellow at the Carnegie Endowment for International Peace, said in a New York Times article April 15 that “you’re running a huge risk that cyberinsurance in the future will be worthless.”
But perhaps we are viewing this through an old lens. Insurance has often been purchased to address hazards. Specifically, an organization obtains a policy to counter the slim risk of a fire, flood or other catastrophe. Fred Kaplan wrote an article for Slate in April in which he argues the inevitability of attacks – state-sponsored or otherwise – means that we should view cyberinsurance more like we do health insurance: coverage against the inevitable, rather than against a hazard risk.
Whether the NotPetya attack falls within the formal definition of war, the Verizon 2019 DBIR and other reporting assert that even state-sponsored attacks can be driven by motives ranging from financial gain and IP theft to espionage and retribution. Depending on the wording of the specific insurance form at issue, even Sony-type events could arguably fall outside a war or terrorism exclusion. This is not to diminish the impact of “collateral damage” events on the insured, but so far, the extent of “war” events remains small within the scope of what cyber policies cover.
Mitigating the risk of a war exclusion claim denial
While cyberinsurance holders should take comfort in the fact that their providers appear to be covering alleged state-sponsored events, here are some strategies companies can consider to mitigate the risk that a cyberinsurer will deny a claim based on a war exclusion:
- Avoid it. Some cyberinsurance policies do not contain a war exclusion. All other things being equal between two cyberinsurance policy forms, a policy that doesn’t contain the exclusion may be the better option.
- Negotiate for removal. Today’s cyberinsurance market is generally considered to be “soft,” meaning competitive among insurers. This dynamic provides leverage to policyholders to negotiate for more favorable terms, including the removal of exclusionary provisions. There’s no guarantee of success, but it’s worth asking the insurer to remove its war exclusion.
- Limit it. An insurer that refuses to remove a war exclusion may be willing to add an exception to the exclusion for certain types of cyber events that affect the computer network of the insured or its third-party service providers. But again, it’s worth asking.
- Modify it. Some insurers reportedly are willing to modify their war exclusions by adding the term “kinetic,” with the goal of limiting application of the exclusion to active, “bullets-flying” warfare.
- Get it in writing. If all else fails, ask the insurer for written assurances that it will not rely on the war exclusion to deny at least certain types of claims. It also may be helpful to obtain case studies, promotional or other materials from the insurer evidencing that it has a history of paying similar claims. Although relying on such “extrinsic evidence” in a subsequent coverage dispute may prove to be challenging, it may be dispositive in the policyholder’s favor if it can be utilized in evidence in court.