An Act of War?
The war exclusion sits at the center of a legal battle between Mondelez and Zurich American, which invoked the rarely used exclusion to deny a claim for property damages caused by a cyberattack.
- Kate Smith
- September 2019
- Court Case: Mondelez sued Zurich American for breach of contract after the insurer used the war exclusion to deny coverage for property losses arising from a cyberattack.
- Defining War: The case will test the definition of war, as the war exclusion historically has applied only to conventional armed conflicts.
- Burden of Proof: Zurich will need to prove the NotPetya malware attack was orchestrated by Russia.
The letter arrived at Mondelez nearly one year after the incident.
In June 2017, the snack manufacturer's computer systems had been corrupted by NotPetya, a form of malicious software that wreaked global havoc. The malware rendered dysfunctional 1,700 of Mondelez's servers and 24,000 of its laptops. It also disrupted distribution, leaving customer orders unfulfilled.
Mondelez filed an insurance claim for damages incurred. It sought coverage under its property policy, not a cyber policy. And in a letter dated June 1, 2018, its property insurer, Zurich American Insurance Company, denied the claim.
Zurich cited the policy's war exclusion as its reason.
The decision was unprecedented. The war exclusion, also known as the hostile acts exclusion, historically has applied to conventional armed conflicts. Never before has it been invoked for a cyberattack.
Zurich's invocation of the war exclusion has raised a compelling question: Can cyberattacks be considered acts of war?
The Circuit Court of Cook County, Illinois, may be left to decide.
In one of the most intriguing lawsuits in the insurance sector, Mondelez has sued Illinois-based Zurich American for $100 million over the denial of coverage. At the center of the case rests the very common, yet rarely used war exclusion.
In a complaint filed on Oct. 10, 2018, Mondelez called the coverage denial “wrongful and improper” and argued that the incursions of malicious code “did not constitute 'hostile or warlike action.'”
It will be up to Zurich to prove otherwise. A representative for Zurich said the company could not comment on the case.
The reason you see the disparity is because this was a property policy.
“This case is a big deal,” said Alan Rutkin, a partner at law firm Rivkin Radler, which has no involvement with the case. “It's definitely gotten a lot of attention, and it should.”
A similar scenario is playing out in the Superior Court of New Jersey, where pharmaceutical giant Merck is suing more than 20 of its insurers for denying NotPetya claims. Some of those denials reportedly were based on the war exclusion.
These cases are important, experts say, because cyberattacks increasingly are being used as weapons of disruption in military conflicts.
The U.S. and Israel, for example, are widely believed to have created Stuxnet, a virus designed to sabotage Iran's nuclear program. In 2018, the U.S. and U.K. publicly attributed NotPetya to Russia, saying the attack was aimed at causing disruption in Ukraine. And just this past June, the U.S. reportedly launched cyberattacks against Iran's missile system in retaliation for Iran shooting down a drone.
One could argue that cyberspace has become a theater of war. Therefore, debate over the applicability of the war exclusion for cyberattacks is to be expected, according to Michael Menapace, who practices insurance and cybersecurity law at legal firm Wiggin and Dana. Menapace and his firm do not represent any parties in these matters.
“These [lawsuits] won't be isolated disputes,” said Menapace, who also teaches insurance law at Quinnipiac Law School. “This is going to repeat. Here's why: If those cyber weapons we unleashed bounce around and cause collateral damage, or if Iran or anyone else counter strikes for the purpose of causing disruption, then what seems like a specific circumstance—NotPetya—is going to repeat. And we will see the same disputes again.
“These attacks are not going away.”
The Mondelez-Zurich case has garnered the most attention, though much of the coverage has been inaccurate.
According to court documents, Mondelez purchased an all-risks property policy from Zurich for coverage beginning Nov. 1, 2016.
The policy included coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.”
The policy also provided coverage for “extra expense incurred by the Insured during the period of interruption directly resulting from the failure of the Insured's electronic data processing equipment or media to operate” resulting from malicious cyber damage, the company's attorneys wrote in their complaint.
Also included in the policy, however, was Exclusion B.2(a), which read:
B. This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
2) a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
Zurich based its coverage denial, the legal complaint said, solely on Exclusion B.2(a). Also known as the war exclusion or hostile acts exclusion.
Some variation of a war exclusion is found in nearly every insurance policy. The provision excludes losses arising from the warlike or hostile actions of a sovereign power.
Estimated insured losses from NotPetya cyberattack.
Source: PCS, a Verisk company
“The war exclusion is something that's very deeply rooted in the world of insurance, because it runs right through the insurer's reinsurance treaties and retrocession treaties,” Graeme Newman, chief innovation officer at CFC Underwriting, said.
Though common, the exclusion rarely has been used.
In 2014, Atlantic Specialty Insurance denied coverage under the war exclusion for a claim that arose from a Hamas attack on Israel. Its insured, a television production company, was filming a show in Israel when Hamas fired rockets from Gaza into Israel. The shoot was relocated as a result of the attack, and the insured filed a claim for expenses incurred as a result of the move. In July, the U.S. Court of Appeals for the Ninth Circuit in California ruled that the attack did not trigger the war exclusion because Hamas is not a sovereign power.
Prior to that, the most well-known use of the war exclusion was in 1970, when Pan Am flight 83 was hijacked, diverted to Cairo and blown up. Pan Am filed a claim under its all-risks aviation policies. Its insurers denied the claim based on the war exclusion. In that case, the U.S. Court of Appeals for the Second Circuit ruled the war exclusion did not apply because the hijackers, the Popular Front for the Liberation of Palestine, were a radical political group rather than a sovereign government.
In the Mondelez case, Zurich will need to prove NotPetya was the work of a sovereign power.
Asserting a war risk exclusion in theory makes perfect sense. In practice, developing the facts to establish it could be hard.
To understand how the war, or hostile acts, exclusion comes into play, it is important to first understand the details of the NotPetya cyberattack.
On June 27, 2017—the eve of Ukraine's Constitution Day—a mock ransomware virus was inserted into a piece of accounting software called M.E.Doc, the Ukrainian equivalent of TurboTax, and unleashed through a software update. The virus, which became known as NotPetya, quickly spread beyond the borders of Ukraine.
It disrupted and disabled businesses around the world. Shipping giant Maersk, French construction company Saint-Gobain, British manufacturer Reckitt Benckiser, and FedEx subsidiary TNT Express were among the multinational companies inadvertently hit by NotPetya.
PCS, a Verisk company, labeled the attack the world's first cyber catastrophe. It caused $10 billion in global economic losses and, according to PCS estimates, $3 billion in insured losses.
Mondelez, Merck and other multinationals were not targets of NotPetya, however. They were collateral damage in what is widely believed to be a Russian military cyberattack on Ukraine.
In February 2018, both the U.S. and U.K. publicly attributed the attack to the Russian military. A month later, the U.S. issued sanctions against Russia, citing the country's responsibility for NotPetya as one of the reasons.
The White House said NotPetya was “part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict.”
Russia has not claimed responsibility for NotPetya.
As with all exclusions, the burden of proof will fall on the insurer, according to Menapace.
“They're going to have to prove all of the things in that exclusion, which is going to get really interesting,” he said. “The witness lists in these cases will be fascinating. It will be computer scientists, geopolitical experts, probably ex-military.”
Zurich will need to show that the attack originated with a foreign country or its agents.
“The concept that cyber weapons could be used in war by one country to attack another is easy to accept,” Rutkin said. “So the theory that cyber could be used by a nation's military against another nation as an act of war is very easy to grasp. The problem is, the facts are hard to come by. Cyber, unlike other acts of war, is generally in the shadows.
“So asserting a war risk exclusion in theory makes perfect sense. In practice, developing the facts to establish it could be hard. I'm not saying you can't do it, but it will be hard.”
In this case, Zurich must prove NotPetya originated with the Russian government or its agents.
“Likely, the first thing they're going to do is say that the U.S. and U.K. governments have already implemented sanctions against Russian military and the agents of Russian military for their role in unleashing NotPetya,” Menapace said.
Whether that's definitive proof, however, remains to be seen.
“It certainly is significant evidence,” Rutkin said. “Whether it's found to be enough and whether it's found to be war or warlike activity is new ground. We'll have to wait and see.”
The fact that NotPetya had no financial motive could be used to show the attack was purely for disruption rather than criminal gain.
“This was not ransomware,” Menapace said. “This was just wiping out data.”
Menapace said insurers will also point to the fact that Merck and Mondelez are not required to have been targets of the attack. “They are collateral damage, which is sufficient under the exclusion. That's what I think the insurers will come in and say.”
The doctrine of reasonable expectation is a legal principle that says provisions of a contract should be interpreted based on how a reasonable person would interpret them.
Should Mondelez have expected a cyberattack to fall under the war exclusion?
“No doubt the policyholders will come in and say it is beyond reasonable expectation that an attack like this, which spread throughout the world, would be covered by a war exclusion,” Menapace said.
Mondelez may have laid the foundation for that argument in its initial court filing, where it pointed out that the exclusion has never been applied to a malicious cyber event.
“The purported application of this type of exclusion to anything other than conventional armed conflict or hostilities was unprecedented,” it said. “Accordingly, on this basis alone, Zurich wrongfully denied coverage.”
Menapace expects semantics to play a role in the case.
“The policyholder will consistently use the term war exclusion,” he said. “When we think of war, we think of bullets, tanks and planes. So the policyholders are likely going to call it a war exclusion every chance they get, and the insurance companies are likely going to refer to it as a hostile acts exclusion.”
The insurance companies could counter that the plain meaning rule should be applied instead of the reasonable expectations test.
“They will say that what we should look at are the actual words of the policy,” Menapace said.
Discovery in the Mondelez-Zurich case is slated to continue into next month, but a resolution may not come for months or years. And the case probably won't go to trial, experts say. With such high stakes—Mondelez claimed damages of $100 million—the parties likely will settle out of court.
“No one wants to take the risk of an all-or-nothing result,” Menapace said.
Fred Eslami, associate director in AM Best's property/casualty rating division, said the insurance industry can't win, proverbially speaking, in this case.
“If this goes against Mondelez, it would be bad for the perception of insurance,” Eslami said. “People are going to ask, 'What's the use of the coverage if these attacks could have some seed of war?'”
Eslami said the lawsuits illustrate the need for stand-alone cyber insurance policies rather than packaged ones.
“This was a property policy, and Mondelez is claiming cyber exposure,” Eslami said. “Which could be fair because the property policy does cover electronic data. But at the same time, the property coverage has this war exclusion, which is giving the insurance company reason to dispute this. A stand-alone cyber policy has a different set of exclusions. The reason you see the disparity is because this was a property policy.”
There have been no coverage disputes on NotPetya claims made against stand-alone cyber insurance policies. Cyber insurance is intended to cover these types of attacks, including cyberterrorism.
“These cases are going to make companies conscious that, even if they have a policy that has some reference to data or software, it may not cover,” Eslami said. “And you could have to go through expensive litigation. So you're better off devising a specific stand-alone cyber policy rather than trying to include it in the property coverage.”
“If there is a lesson to be learned,” he said, “it's to not rely on finding silent cyber coverage in a non-cyber policy and, instead, to buy cyber policies, which paid out in the NotPetya attacks.”
When Mondelez sued Zurich American for denying a claim that arose from the 2017 NotPetya malware attack, the media world took notice. One mainstream news outlet called the Mondelez lawsuit a “test for cyber hack insurance.” Another called the dispute a “cyber insurance shock.”
The dispute, however, does not involve a cyber insurance policy. It involves a property policy. That important distinction, cyber insurers say, has been widely overlooked.
“People saw the word cyber and then saw the word insurance and assumed it was cyber insurance coverage,” Jim Bramblet, who leads Accenture's North American insurance practice, said.
Misleading headlines and erroneous news accounts have given cyber insurance a bad rap and left cyber insurers doing damage control.
“The mainstream press were really quick to the party, and it's hugely frustrating for the cyber insurance market seeing how badly this event has been reported and how incorrectly it's been reported,” said Graeme Newman, chief innovation officer at CFC Underwriting. “They've suggested it was the cyber insurance policy that wasn't responding, which couldn't be farther from the truth.”
Experts say cyber policies responded to NotPetya claims.
“We are not aware of any [cyber insurance] claim that's been denied for NotPetya,” Tracie Grella, global head of cyberrisk for AIG, said.
Zurich based its coverage denial on the war exclusion, a common provision which typically excludes losses arising from hostile or warlike actions taken by sovereign governments or their agents. Cyber insurance policies, however, don't use the traditional war exclusion.
Most cyber policies take into account the growing reality that cyberattacks are often state-sponsored, experts say.
“A good cyber policy has a carve-back on the war exclusion for cyberterrorism,” said Willis Towers Watson's Dan Twersky, a claims advocate and global cyber claims leader, FINEX North America. “Cyberterrorism is the premeditated use of disruptive activities against a computer system or network by any individual, organization or government intending to cause harm and in furtherance of objectives—including political. That's not war, as we know it. And it's an important distinction.”
Grella said cyber insurers revisited the war exclusion about five years ago. As cyberattacks evolved and state actors increasingly were alleged as perpetrators, cyber insurers recognized the traditional war exclusion was not right for their policies.
“We determined that there were some changes that needed to be made to the war exclusion in our cyber policies,” Grella said. “These war exclusion changes align better to the way cyber events come about and are different from war exclusions you would find in more traditional policies like property and casualty.”
The property policy Mondelez took out with Zurich contained a traditional war exclusion. So even though its policy provided some cyber coverage—specifically, it included “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”—it was still a property policy with traditional property exclusions.
We are not aware of any [cyber insurance] claim that’s been denied for NotPetya.
Grella said the Mondelez case illustrates the importance of reviewing policies with a “cyber eye.”
“If you're adding a nonphysical cover to traditional policies, just adding in the coverage doesn't mean that the rest of the policy works,” she said. “Over the years, I've had clients tell me, 'I'm not buying a cyber policy because I have cyber coverage in my property policy.'
“If that's what you're really relying on, then you should be looking at that policy like it's a cyber policy, running your scenarios through that, and ensuring that all of the exclusions, all of the terms, all of the coverage grants work for what you're looking for.'”
Newman said insurers should clearly delineate their stance on cyber coverage. Many, however, have been slow to update the language in their policies to reflect their intent.
“Language got left in property forms,” Newman said. “People will say they have a cyber bolt-on. It's not, really. The language which is in some of these policies is from decades ago, when people were adding bits of cover for damage to software because if hardware was destroyed, you may have to re-buy software licenses. It wasn't drafted with the concept of today's cyberattacks in mind.
“There's been a lethargy about updating [the language],” he added. “The multiple $100 million claims that have been brought are going to speed that up and get rid of the lethargy.”
AIG is among the insurers who have become very intentional in their approach to cyber coverage. Grella said the company has been revising its policy language to be specific about coverage.
“We want all of our clients to know where they have cyber coverage and where they don't,” she said. “We offer the ability to purchase coverage and make sure there's affirmative language in the policy. If a client doesn't want to purchase that coverage, then we want to affirmatively exclude it.
“We are designing our policies so that clients can choose where they want to have the coverage and where they don't. If they're getting the coverage, it will be underwritten appropriately.”
Accenture's Bramblet said the Mondelez lawsuit could ultimately benefit cyber insurers.
“For the cyber market, it's a good situation in that it makes people think about buying coverage that's appropriate for the risk and specific to the risk,” Bramblet said. “I do think it will increase awareness for stand-alone cyber insurance coverage, just because insureds don't want to be in an ambiguous state.”
For more on the war exclusion, see Defining War. (p. 21 in print)