Cyber coverage remains a hot topic in the insurance world. The coverage is relatively new and complicated questions of claims handling are still working their way through the court system with often unforeseeable results. Now, a novel defense is one cyber coverage lawsuit may throw a major wrench in the extent of protection these policies provide.
NotPetya Claims Still Outstanding
In June 2017, companies around the world were hit with a ransomware attack eventually named NotPetya. NotPetya involved an exploit originally developed by the National Security Agency that was leaked to the public. The attack originated in Ukraine on the servers of a company that had failed to update its software in several years and had evidence of infiltration by Russian security groups. It eventually affected companies across Europe and North America and is estimated to have done more than ten billion dollars in damage. U.S. government officials placed the blame for the attack on Russia.
Mondelez International Suffers After NotPetya Attack
One of the American companies affected by NotPetya was Mondelez International, a food company most well known for its Kraft Foods brand. Mondelez had purchased a cyber insurance policy from Zurich American Insurance Company. Mondelez submitted a $100 million claim to Zurich. The ensuing conflict between the two eventually led to Zurich refusing to pay the claim.
Act of Ware Exclusion For Cyber Breaches
Importantly, Zurich has used the policies “act of war” exclusion to avoid paying the claim. If successful in Court, this approach could have far reaching consequences for the amount of coverage provided by cyber insurance policies. Act of war exclusions generally prevent insurance policies from covering damage or loss that results from military conflicts including terrorism. Traditionally, the reasoning behind these exclusions is that insurance companies lack the financial resources to provide coverage for the wide scale destruction that war brings.
The Burden Of Proof For Insurance Companies To Use This Exclusion
Bringing the war exclusion into the cyber age complicates a number of issues. While NotPetya was a global incident traced to a single source, most cyberattacks do not fit that pattern. Tracing the source of most cyberattacks can be difficult. The burden of proof may lie with the insurance company in the aftermath of the claim, but it can still complicate and delay the process of recovering from the attack for many companies. Furthermore, it may be incredibly hard to draw the line between an attack that is part of a cyber war and one that is not. If a Russian hacker independently attacks a U.S. company using tools created by the Russian government and in a way that furthers the goals of the Russian government in creating chaos within the U.S. economy, would such an attack qualify?
To Give Your Business A Better Chance, Act Now
The success of these claims may take a long time to figure out, but it is already clear that insurance companies will rest strongly on broad interpretations of policy exclusions to protect themselves from paying out cyber claims where feasible. Businesses need to rely on their own risk management and cyber security strategies as their first line of defense in these situations.