Insurers Pitch Stand-Alone Cyber Policies as ‘War Exclusion’ Faces Uncertain Future
Insurers and their advocates say two lawsuits targeting the use of the war exclusion in property insurance contracts illustrate the need to purchase stand-alone cyber policies amid the rise of ransomware attacks.
- Tom Davis
- April 2022
- Rising Rates: Insurers and their advocates say the industry could be forced to raise rates if the war exclusion in property insurance contracts can’t be used for attacks on IT infrastructure.
- Cyber Shift: Companies should reconsider relying on what’s called “silent cyber” coverage in property insurance if it is not clearly designed specifically to cover cyberrisks, some insurers and their advocates say.
- Coverage Disputes: Two lawsuits illustrate how businesses that rely upon traditional insurance for cyber events should anticipate coverage disputes and questions over language, insurers say.
Insurers and their advocates say they're keeping their eyes on two lawsuits that target the use of the “war exclusion” in property insurance contracts—and highlight the increasing importance of stand-alone cyber policies now that ransomware attacks are on the rise.
Two high-profile companies are relying on the courts' help after insurers invoked the war exclusion to deny coverage following the 2017 NotPetya cyberattack, said Michael Menapace, an insurance lawyer and cybersecurity counsel with Wiggin and Dana LLP.
“Companies should not be relying on finding silent cyber coverage in a property, liability or other type of policy that is not designed specifically to cover cyberrisks,” Menapace said.
And if they continue to do so, insurers could be forced to raise rates if they can't use the war exclusion for attacks on information technology infrastructure, Menapace said. “Ultimately, when courts decide that additional risks are covered when they were not previously intended, insurance rates will rise and consumers will shoulder the burden,” he said.
The focus shift to stand-alone cyber coverage is coming after a New Jersey Superior Court in January ruled in favor of pharmaceuticals company Merck Inc. and its captive insurer and against a Chubb Ltd. affiliate, which had used the war exclusion to deny coverage following the NotPetya ransomware attack.
Merck's computer systems were infected by the NotPetya malware, which struck computers worldwide, with the plaintiff alleging 40,000 computers were affected, resulting in more than $1.4 billion in losses. The defendant insurers had cited language in its policy excluding hostile and warlike acts as a reason to exclude the cyberattack.
Judge Thomas J. Walsh in the Superior Court of New Jersey Law Division, Union County, wrote the insurers “did nothing to change the language of the exemption to put this insured on notice that it intended to exclude cyberattacks.”
Another potentially impactful case involves a $100 million lawsuit filed against Zurich American after the insurer also used the war exclusion to deny coverage following the 2017 ransomware attack, court documents show.
“War exclusions are generally written in broad terms and are not well equipped to handle today’s constantly evolving cyberrisk landscape. The outcome of this case highlights the importance of insurers to continue to add greater clarity of what is and isn’t covered within their policies.”
Attorneys for both Mondelez and Zurich American, which was sued over denying the snack manufacturer coverage when Mondelez's computer systems were corrupted by NotPetya, have asked for a summary judgment in the 4-year-old Illinois case.
In the New Jersey case, Menapace said he believes the Chubb affiliate will “undoubtedly” appeal. As for its impact on the Mondelez-Zurich lawsuit, Menapace said the trial court proceeding in the Merck case may be persuasive to the Illinois judge, “but not binding.”
“In my estimation, the New Jersey decision reads as though it is outcome-oriented and I am not sure how persuasive its rationale will be on an Illinois court,” he said.
Whatever the outcome, Fred Eslami, associate director at AM Best, said stand-alone cyber insurance policies are “the most efficient approach” to dealing with the modern form of warfare that is happening with greater frequency. “The expense that is involved in these types of litigation is huge and everyone wants to avoid it,” he said.
Eslami said significant rate increases throughout 2021 and into 2022 were driven by increases in losses that were driven by ransomware and uncertainty over this continuing evolving risk.
“Additionally, increases in deductibles and reductions in limits may be indicative of those facts as well,” he said. “Prior to this [New Jersey] ruling, the big unknown was whether or not an act of cyber sabotage similar to NotPetya met the criteria for being a hostile or warlike action.”
Catherine Lyle, head of claims at cyber insurer Coalition, said the cases illustrate how businesses that rely upon traditional insurance for cyber events should also anticipate coverage disputes. “Businesses, small and large, need to heed this warning and prepare for cyber events with stand-alone protection,” she said.
Much like the New Jersey case, the outcome of the Mondelez lawsuit could hinge on the interpretation of policy language.
Eslami said since NotPetya, insurers have been tightening their policy languages, terms and conditions and the limits they provide. Prior to the New Jersey court ruling, “the big unknown was whether or not an act of cyber sabotage similar to NotPetya met the criteria for being a hostile or warlike action,” he said.
“War exclusions are generally written in broad terms and are not well-equipped to handle today's constantly evolving cyberrisk landscape,” he said. “The outcome of this case highlights the importance of insurers to continue to add greater clarity of what is and isn't covered within their policies.”
“Ultimately, when courts decide that additional risks are covered when they were not previously intended, insurance rates will rise and consumers will shoulder the burden.”
Wiggin and Dana LLP
Menapace said the creation and reliance of the concept of “traditional form of warfare” is not found in the text of such policies. The war exclusion was developed long ago, he said, and “certainly, damages from cannon fire or other forms of warfare no longer in use were excluded when it was drafted.”
“I can't imagine anyone would argue that the insurers should have updated the exclusion to account for the modern missile. Why is it such a leap that a cyberattack causes warlike collateral damage to insured computers?” he said.
Zurich declined to comment directly on its lawsuit, referring Best's Review to its statements in court.
In a summary judgment filing, Zurich maintained that NotPetya was a “hostile or warlike action” within the terms of its hostile actions exclusion. The policy includes “broad and unambiguous” language signaling the NotPetya cyberattack was an act of war by a “government or sovereign power” or military—in this case, Russia, Zurich says.
“Courts addressing the hostile acts exclusion make clear that the exclusion—consistent with its plain terms—is applicable even to acts that are neither 'acts of war' nor traditional armed conflict,” Zurich wrote in its court filing.
Mondelez, however, argues Zurich has provided no technical or forensic evidence regarding who was responsible for NotPetya. “There is no publicly available forensic evidence linking NotPetya to Russia,” the company said in recent court filings.
It also can be disputed, Mondelez said, that Russia and Ukraine were actively at war around the time of NotPetya. “Even if Russia and the Ukraine were in an armed conflict at the time of NotPetya, over which the parties have a genuine dispute, Zurich has not met its burden to prove NotPetya was part of that purported armed conflict,” the company claims.
In its own summary judgment request, Mondelez argued that hostile or warlike action must be suggestive of armed physical conflict that can cause physical violence to people or property. “Computer code that is incapable of causing, and indeed does not cause, any human casualties or physical destruction, and that non-violently self-propagates while encrypting private civilian computer devices around the world, plainly does not constitute a 'hostile or war-like action,' ” the company said in court records.
The Mondelez lawsuit was filed after the NotPetya malware, in June 2017, rendered dysfunctional 1,700 of Mondelez's servers and 24,000 of its laptops. It also disrupted distribution, leaving customer orders unfulfilled, the company says.
Mondelez filed an insurance claim for damages incurred under its property policy, not a stand-alone cyber policy. Subsequently, in a letter dated June 1, 2018, its property insurer, Zurich American, denied the claim, citing the policy's war exclusion as its reason.