05
Feb
2019

War Risk Exclusions Invoked to Thwart Cyber Coverage: The Shape of Things to Come

Policyholder Advisor & Alert

 Share  print   Print     Subscribe      Download PDF

PUBLISHED ON: February 5, 2019

It's become clear in recent years that some cybercriminal gangs may be affiliated, loosely or otherwise, with nation states. Thus, some cybercriminals have the formidable backing and resources to steal money from our international banking funds transfer systems, meddle in elections, and cause damage and disruption—sometimes without any clear motive or rationale.

State Actor Involvement With Global Cybercrime on the Rise

In the risk management community, discussion is ongoing concerning the applicability, if any, of so-called war risk exclusions to cyber claims that may have some connection to state actors. Also debated: Assuming the exclusion might have some technical applicability to a cyber claim where state involvement is suspected, would an insurance company actually attempt to use a war risk exclusion to evade insurance coverage?

That discussion has largely been academic — until now. A recent case filed in Illinois late last year involved a situation in which a policyholder had cyber coverage promised under their all-risk property insurance policy.

A New Cyber Insurance Battle Front: War Risk Exclusion in Mondelez v. Zurich

In October, a lawsuit, styled Mondelez International, Inc. v. Zurich American Ins. Co., was brought in the circuit trial court for Cook County, Illinois. The suit involved a $100 million coverage dispute over damages arising from the NotPetya cyberattack that struck companies and other organizations around the globe in the summer of 2017.

Mondelez sought coverage under a Zurich all-risk property policy covering property damage and business interruption losses and promising protection for computer-related harm. Specifically, there was express insurance coverage for cyber perils, including “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” According to the lawsuit, the summer 2017 NotPetya attack rendered 1,700 company computer servers and approximately 24,000 laptops “permanently dysfunctional.”

Zurich denied Mondelez’s claim and invoked the war exclusion included in the policy. War exclusions are often included in an array of insurance policies including property and stand-alone cyber policies. The Zurich war exclusion at issue provided that insurance coverage was excluded for “hostile or warlike action … by any … government or sovereign power … military, naval or air force,” or an agent or authority of the aforementioned entities.

While policyholders, insurance brokers, insurance companies, and industry consultants have wrestled over how to approach the risk of cybercrime perpetrated by foreign powers, any disputes over the application of a war exclusion have been largely private and typically resolved through negotiation.

This recent filing in Illinois, however, places the conversation and the fight on very public terms. A court or jury will likely resolve the application, or lack thereof, of a war exclusion to unconventional threats where suspicion reigns over the involvement of a foreign nation.

Risk Management Action Needed to Procure Best Terms

This recent case makes real the need to assess the potential scope of war exclusions imposed in cyber policies and other lines of property and casualty insurance coverage. Risk managers and brokers must consider what clarity and assurances can be obtained in the marketplace to minimize the risk that insurance companies will attempt to evade coverage for cyber claims where a state actor is allegedly involved in a hack, virus, or other variation of cyberattack.

What May Come Down the Road in the Mondelez Dispute

Mondelez should have the stronger legal position in its cyber dispute with its property insurance company. An all-risk policy, under law, is generally to be construed broadly when considering the promises of the insuring agreements and narrowly when applying the insurance policy’s exclusions.

Under an all-risk insurance policy, a policyholder has a very limited set of items upon which it carries the burden of proof. For example, the policyholder has the burden of establishing a prima facie case for recovery by proving the existence of an all-risk policy and the fortuitous loss of the covered property. See Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 999 (2d Cir. 1974); Northwestern Mut. Life Ins. v. Linard, 498 F.2d 556, 561 (2d Cir. 1974); Jomark Textiles, Inc. v. International Fire & Marine Ins. Co., 771 F. Supp. 577, 579 (S.D.N.Y. 1989).

As a corollary, courts often reject an insurance company’s attempts to narrow the scope of the insuring agreements and broaden the scope of the insurance policy’s exclusions. Relevant case law indicates that insurance companies cannot broadly apply exclusionary language, including war risk exclusions, because exclusions from coverage are to be construed narrowly under well recognized insurance precepts. See Cedar & Washington Assocs., LLC v. Port Auth. of N.Y. & N.J., 751 F3d 86, 92 (2d Cir. 2014) (holding that “[t]he purpose of an all-risk insurance contract is to protect against any insurable loss not expressly excluded by the insurer or caused by the insured.”); Id. at 93 (quoting Pan Am. World Airways, Inc., 505 F.2d at 1003-04 (“The experienced all risk insurers should have expected the exclusions drafted by them to be construed narrowly against them, and should have calculated their premiums accordingly.”)); Transcap Assocs. v. Cigna Ins. Co., Case No. 99-C-5292, 2001 U.S. Dist. LEXIS 26964 (N.D. Ill. Sept. 17, 2001) (construing an infidelity exclusion to an inland marine insurance policy narrowly and stating that construing the exclusion broadly “would render the policy a nullity”).

When looking at some of the historical cases addressing the war exclusion in the confines of losses caused by terrorism, courts have typically narrowed the application of those exclusions. Under both aviation and property insurance policies, courts have mainly deemed the war risk exclusion to have narrow application to more conventional notions of military force and armed conflict. As such, the law should favor Mondelez and other similarly situated policyholders in this area.

Conclusion

While this particular case is being fought in the context of a property insurance policy, many cyber policies contain war exclusions. As such, policyholders are well advised to work with their insurance brokers to obtain the most favorable terms available in the insurance market. Additionally, the Mondelez case is a further illustration that when a serious cyber loss occurs, policyholders may have coverage under business insurance policies like their property and crime insurance policies. Policyholders should not solely focus on stand-alone cyber insurance products when they face losses or claims, to the exclusion of other lines of potentially applicable coverage.