While policyholders, insurance brokers, insurance companies, and industry consultants have wrestled over how to approach the risk of cybercrime perpetrated by foreign powers, any disputes over the application of a war exclusion have been largely private and typically resolved through negotiation.
This recent filing in Illinois, however, places the conversation and the fight on very public terms. A court or jury will likely resolve the application, or lack thereof, of a war exclusion to unconventional threats where suspicion reigns over the involvement of a foreign nation.
Risk Management Action Needed to Procure Best Terms
This recent case makes real the need to assess the potential scope of war exclusions imposed in cyber policies and other lines of property and casualty insurance coverage. Risk managers and brokers must consider what clarity and assurances can be obtained in the marketplace to minimize the risk that insurance companies will attempt to evade coverage for cyber claims where a state actor is allegedly involved in a hack, virus, or other variation of cyberattack.
What May Come Down the Road in the Mondelez Dispute
Mondelez should have the stronger legal position in its cyber dispute with its property insurance company. An all-risk policy, under law, is generally to be construed broadly when considering the promises of the insuring agreements and narrowly when applying the insurance policy’s exclusions.
Under an all-risk insurance policy, a policyholder has a very limited set of items upon which it carries the burden of proof. For example, the policyholder has the burden of establishing a prima facie case for recovery by proving the existence of an all-risk policy and the fortuitous loss of the covered property. See Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 999 (2d Cir. 1974); Northwestern Mut. Life Ins. v. Linard, 498 F.2d 556, 561 (2d Cir. 1974); Jomark Textiles, Inc. v. International Fire & Marine Ins. Co., 771 F. Supp. 577, 579 (S.D.N.Y. 1989).
As a corollary, courts often reject an insurance company’s attempts to narrow the scope of the insuring agreements and broaden the scope of the insurance policy’s exclusions. Relevant case law indicates that insurance companies cannot broadly apply exclusionary language, including war risk exclusions, because exclusions from coverage are to be construed narrowly under well recognized insurance precepts. See Cedar & Washington Assocs., LLC v. Port Auth. of N.Y. & N.J., 751 F3d 86, 92 (2d Cir. 2014) (holding that “[t]he purpose of an all-risk insurance contract is to protect against any insurable loss not expressly excluded by the insurer or caused by the insured.”); Id. at 93 (quoting Pan Am. World Airways, Inc., 505 F.2d at 1003-04 (“The experienced all risk insurers should have expected the exclusions drafted by them to be construed narrowly against them, and should have calculated their premiums accordingly.”)); Transcap Assocs. v. Cigna Ins. Co., Case No. 99-C-5292, 2001 U.S. Dist. LEXIS 26964 (N.D. Ill. Sept. 17, 2001) (construing an infidelity exclusion to an inland marine insurance policy narrowly and stating that construing the exclusion broadly “would render the policy a nullity”).
When looking at some of the historical cases addressing the war exclusion in the confines of losses caused by terrorism, courts have typically narrowed the application of those exclusions. Under both aviation and property insurance policies, courts have mainly deemed the war risk exclusion to have narrow application to more conventional notions of military force and armed conflict. As such, the law should favor Mondelez and other similarly situated policyholders in this area.
While this particular case is being fought in the context of a property insurance policy, many cyber policies contain war exclusions. As such, policyholders are well advised to work with their insurance brokers to obtain the most favorable terms available in the insurance market. Additionally, the Mondelez case is a further illustration that when a serious cyber loss occurs, policyholders may have coverage under business insurance policies like their property and crime insurance policies. Policyholders should not solely focus on stand-alone cyber insurance products when they face losses or claims, to the exclusion of other lines of potentially applicable coverage.