Subscribe to Our Monthly Newsletters

Stay updated on trending legal insights and get our attorneys' take on the latest industry news.

Marketing by

Paul Zimmerman

Photo of M&R Blog

tswedensky ©

Denial of a NotPetya-Related Claim Shakes the Cyber Insurance World

In late June 2017, a cyber worm dubbed “NotPetya” successfully locked up networks across the globe. Infected computers displayed onscreen messages demanding $300 in Bitcoin (digital ransom) in exchange for a decryption key allowing owners to regain access. The scale of the cyber attack was enormous. From the Ukraine to the U.S., banking, oil, electric, shipping and pharmaceutical operations, among many others, were impacted. One of the companies hit by the malware – food giant Mondelez International. The incident reportedly cost it upwards of $100 million to clean up.

If you’re thinking, “no worries, a multinational like Mondelez surely had cyber insurance in place,” you’d be correct – it did. But in a decision that’s turning heads across industries, Zurich American Insurance Company – which issued Mondelez its cyber insurance policy – has refused to pay out on the conglomerate’s claim, arguing that the NotPetya ransomware attack was an act of cyber war specifically excluded from coverage.

Typically, cyber policies cover losses caused by damage, theft, disruption or corruption of electronic data at the hands of a hacker, virus, or denial of service attack. It would appear that the Zurich policy issued to Mondelez provided coverage within those margins to the extent it contemplated “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” Certainly, the ransomware introduced by the NotPetya hackers would trigger Zurich’s obligations under the policy.

Not so, says the insurer, which is problematic not just for Mondelez, but for insureds worldwide.

Initially, Zurich seemed ready to pay a small fraction of the Mondelez claim, but it backtracked and concluded that because the NotPetya attack was a hostile or warlike action, the policy’s “cyber war” clause governs and shields the insurer from its coverage responsibilities. Zurich’s thesis is not without support by virtue of the focus of NotPetya – destruction, not monetary gain.

The source of the infection looks to have been a deliberate and well-planned installation of a backdoor in an update module for M.E.Doc, a tax-accounting application that is widely used in the Ukraine. Indeed, the initial attack hit Ukrainian government and business computer systems, with approximately 60% of all affected machines located within that country, leading the Ukraine’s security services (SBU) to conclude that the ransomware was a Russian cyberattack in disguise. Intelligence officials of the U.K., Canadian, Australian and U.S. governments have concurred.

The precedent Zurich has set with its denial of the Mondelez claim is rather chilling. In the wake of this decision, insureds – large and small – are left uncertain as to whether their cyber policies will protect them in the event of a cyber attack or data breach, or could insurers play the “cyber war” card to escape their contractual duties. This is particularly troubling because while actual wars are a rarity, cyber crime is an all too frequent occurrence.

No doubt, Zurich’s reliance on its “cyber war” exclusion will be tested in the courts. In the meantime, insurance companies issuing policies of cyber insurance may be incentivized to deny claims by characterizing any given hack or data breach as an “act of war” or “terrorism” in the event the financial motive of the criminals is unclear (remember, while NotPetya was cast as ransomware, the system to pay the ransom was broken, leading the aforementioned governmental officials to conclude that Russian intelligence was attacking Ukrainian infrastructure). And should this become a trend, the very existence of cyber insurance could hang in the balance.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.