January 24, 2019
You heard that correctly. Mondelez International recently filed a complaint in Illinois alleging that Zurich American Insurance Company denied coverage for a malicious cyber incident pursuant to a war exclusion that was previously only used in times of hostile conflicts. Complaint, Mondelez Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Cook County, Illinois Oct. 10, 2018), Dkt. No. 1. After falling victim to two separate introductions of the “NotPetya” malware in June of 2017, Mondelez lost access to approximately 1700 servers and 24,000 laptops. See id. at 2-3. As a result of this damage to both its hardware and operational software, Mondalez submitted an insurance claim for losses in excess of $100,000,000. See id. However, Zurich ultimately denied this claim relying upon a war exclusion and apparently arguing that this “NotPetya” cyberattack was a “hostile or warlike action.” And while this argument seems unfounded, the legal maneuvering and gamesmanship demonstrated by insurance carriers to avoid paying cyber claims never ceases to amaze.
Mondelez obtained a property insurance policy that covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.” Id. at 2. The policy also included coverage for losses and expenses incurred “during the period of interruption directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate.” Id. Understandably, Mondelez assumed that it was covered for the property damage, commercial disruptions, unfulfilled orders, and other losses that were a direct result of the “NotPetya” cyber-attack.
After close to a year of “adjusting” the claim, Zurich informed Mondelez that it was denying coverage pursuant to a single exclusion (“War Exclusion”):
B. This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
- (2) a) hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack by any:
- (i) government or sovereign power (de jure or de facto)
- (ii) military, naval, or air force; or
- (iii) agent or authority of any party specified in i or ii above.
Id. at 4. This application of a War Exclusion to a cyber incident is unprecedented, and frankly, astonishing. While experts have accused Russia of perpetuating the “NotPetya” malware (not ransomware), the source of the attack has not been confirmed. Far from a warlike action by a governmental power, “NotPetya” was a devastating attack that crippled companies across the globe with the types of damages and losses that Mondelez sought to insure.
To add insult to injury, Zurich adjusted this claim for close to a year, while forcing Mondelez to submit voluminous amounts of information and provide access to employees and consultants hired by Mondelez to substantiate the claim. See id. at 3. And when Mondelez disputed Zurich’s denial of the claim, Zurich offered and then refused to pay a $10,000,000 partial payment offer (10% of claim) and delayed the adjustment for another four months. See id. at 5-6. After over eighteen months, Zurich continues to hide behind this War Exclusion that it could have identified early in the adjustment process, which would have allowed Mondelez to file this lawsuit months ago. The facts surrounding the “NotPetya” attack remain the same, so this War Exclusion did not become more relevant over time. These delay tactics are common with the insurance carriers, as the longer the claim and dispute process takes, the better the chance to avoid paying the entire claim. We hope that Mondelez wins this legal battle, but Zurich appears to be digging in its heels.
Zurich’s reliance on a War Exclusion to deny a cyber claim is further evidence that insurance carriers continue to search for new and creative ways to avoid paying cyber-related claims. And because legislation and case law surrounding cyber insurance is just starting to be developed, this remains a lucrative game for the insurance carriers. A game where the carriers can stack the deck with pages and pages of exclusions, definitions, and conditions to avoid paying claims. Do not assume that you are covered for a cyber event because the insurance carriers will leverage novel legal arguments, delay tactics, and gamesmanship to ultimately deny the claim or at least reduce the payout.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.