With recent news of multinational food and beverage company Mondelez International settling its lawsuit against its insurer Zurich American Insurance Company over the company’s NotPetya claims, conversation has continued around what this could mean for war exclusion language and definitions of cyber war in insurance policies. Experts say, however, that the answers to these questions remain unclear.
“I think that the takeaway is that war exclusions in all lines of business need to be updated and modernized to expressly address coverage around state sponsored cyber attacks or cyber operations,” said Vince Vitkowsky, partner at law firm Gfeller Laurie, on this episode of The Insuring Cyber Podcast.
Mondelez initially claimed $100 million on its insurance policy after a June 2017 malware program called NotPetya wreaked havoc on its systems. Bloomberg reported that Mondelez believed permanent damage to 1,700 of its servers and 24,000 laptops, plus the theft of thousands of user credentials, unfulfilled customer orders and other losses fell under the provision of its insurance policy covering “physical loss or damage.”
In June 2018, Zurich denied the claim because it said the NotPetya attack actually fell under an exclusion barring insurance coverage for hostile or warlike actions. A multi-year legal battle ensued. Zurich confirmed to The Insuring Cyber Podcast this month in an email that the two parties have settled the matter, although no further details have been released.
The recent news of the settlement in this case comes on the back of a decision made public in January by the Superior Court of New Jersey in a similarly high profile NotPetya case – this time involving U.S. pharma company Merck. The court in that case ruled insurers cannot use the war exclusion in their all-risk property policies to avoid covering about $1.4 billion in damages that the company said it suffered due to the attack.
“The one thing we do know is that both of these policies had the hostile warlike act exclusion,” Vitkowsky said, “and it is just rife with ambiguities and doesn’t address cyber at all.”
Peter Halprin, partner at law firm Pasich, agreed that war exclusion language within insurance policies likely will need updating, and the January decision in the Merck case as well as the recent Zurich/Mondelez settlement could put pressure on insurers to move forward.
“I’m often asked by clients to do policy reviews, and they’re asking me to look at the war exclusions that they have in their cyber policies and the carve backs, because you often have a carve back for cyber terrorism. I will tell you that my experience is that they differ widely,” he said. “I think that both of these [cases] taken together really put the onus on carriers to use exclusionary language that is clear, unambiguous, and unmistakable.”
Halprin said by doing this, insurers can benefit their policyholders by providing clarity on what their insurance covers before a claim.
“This is a wake up call that it’s very important to craft your exclusions as you’d like things to be excluded, and that gives your policyholder the ability to understand what they’re buying,” he said. “I think these cases help shine a light on that [as insurers are] thinking about, ‘Okay, if a traditional war exclusion does not apply to some of the risks that we’re talking about, what would?’ And how should the insurers craft unambiguous language to make clear whatever they’re trying to intend to exclude?”
Vitkowsky agreed that many insurers will likely be revisiting their exclusionary language beginning next year, especially on the back of these NotPetya case outcomes.
“I think it’s going to lead them to use strong language and limit exposure,” he said.
Violet Sullivan, vice president of client engagement at Redpoint Cybersecurity, said that overall, the NotPetya incident was defining for insurers because it showed that day-to-day functions and livelihoods can be affected by a widespread incident.
“I feel like this was the pivotal moment to say cyber attacks can impact you operationally in your pocketbook and also impact your day-to-day productivity and what you know as your work and livelihood,” she said.
Halprin agreed, adding that the geographic component of the attack also played a role in making it a significant event insurers view as a turning point for ransomware.
“It really showed that this issue is not necessarily limited to a particular jurisdiction or geography. It can be worldwide,” he said. “I think that’s only been exacerbated by the pandemic, and there have been a lot of pieces … where the insurance industry looked at the pandemic and said, ‘What does a ransomware pandemic look like? What does a global cyber incident look like, and how would we be able to respond?’”
While Sullivan said the idea of a ransomware pandemic sends “a chill” down her spine, she admitted that it may not be far off as the ransomware landscape continues to evolve.
“I feel like this word ‘ransomware’ is going to evolve into any type of extortion for your technical use of equipment. I mean, it’s not going to be just about data or just about databases. It’s going to be criminals just furthering the evolution of crime into a technical sphere,” she said. “So I’m pretty pessimistic about it happening in the future.”
With this in mind, Vitkowsky said there is even more pressure on insurers to tighten up exclusion language and clarify what an act of cyber war actually means from a coverage standpoint.
“Widespread event coverage is sometimes treated separately, and it can be defined however you want to, but a systemic cyber event is a phrase that’s being used. Catastrophic cyber event is a phrase that’s being used. So [the outcomes of these NotPetya cases] will cause a greater tightening of language, and in some cases, a wholesale creation of a new language,” he said. “It’s a fascinating time because we’ve been thinking and talking about this forever, and it’s finally coming. Major players are saying, ‘You gotta get this done now. We’ve waited long enough.’”
Check out the rest of this episode to find out what else Vince, Violet and Peter had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.