Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

March 2019
Carriers nurtured the market’s fast growth by quietly paying claims—until now.
By Matt Fleischer-Black
CYBER INSURANCE HAS COME A LONG WAY. It’s no longer a novelty. Experts say that executives no longer have to justify the expense. In fact, if they don’t have it, they may well have some explaining to do. 
     Insurance companies have reciprocated by nurturing the market. That has included playing nice when clients file claims. Carriers have paid with few complaints. There have been no big public altercations. Until now.
     A battle line has emerged. And in this case, the war metaphor seems doubly appropriate. It pits Mondelez International, the snack food giant that sells Oreo cookies, Ritz crackers, and Toblerone chocolate, against insurance giant Zurich American. The root of their dispute is the war exclusion, standard in insurance contracts.
     Mondelez was one of dozens of companies to suffer damages during the global NotPetya ransomware attack in 2017. The malware raced through and wiped networks as fast as security professionals had ever seen, turning millions of computers into bricks. It caused $10 billion in damage, the U.S. Department of Homeland Security concluded. The snack company was devastated, claiming that it had suffered at least $100 million in losses.
     Wisely, Mondelez had negotiated additional coverage into its policy. The company made sure to protect itself against “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”  The policy covered, too, nonphysical losses and expenses caused by the failure of “electronic data processing equipment or media to operate” due to malicious cyber damage. In July 2017, the wounded company submitted a claim to Zurich.
     But 11 months later, after negotiations, the carrier denied the entire claim. It invoked an “act of war” exclusion because, Zurich argued, NotPetya was a “hostile or warlike action” by a “sovereign government or power, military force or their agents.” It offered not so much as a cracker crumb in compensation.

The Company Sues
The snack giant sued Zurich in October 2018 for breach of contract in Illinois state court, in Chicago. Mondelez argued that courts, insurers and companies have previously applied this exclusion only to conventional, physical armed conflict. Applying the clause to the delivery of malicious code by hackers would be unprecedented. Nor was this exclusion specifically addressed in the policy, Mondelez added. It was, therefore, Zurich’s burden to show that the exclusion extended to cyberattacks.
     Zurich has not commented or filed an answer in court.  Yet it will undoubtedly tell the judge that in February 2018, the United States, the United Kingdom, Canada and Australia all officially blamed Russia for NotPetya. The White House labeled the indiscriminately destructive wormware “part of Russia’s effort to destabilize Ukraine.” It remains to be seen whether the court will find this government statement enough to rule that Mondelez was a victim of an act of war, and whether that designation would constitute a valid exclusion under its insurance policy.
     No matter what the court does, this is a turning point, said Jordan Rand, a partner at Klehr Harrison Harvey Bransburg who represents policyholders. In the growing push to develop cyber insurance, carriers have denied few or no cyber-related claims, said Rand, adding: “If you want to make this market rival the property and casualty insurance market, the narrative has to be that carriers are paying the claims.” 
     Now the worm has turned. “Mondelez is the first time that there’s been a very high-profile denial of a claim,” Rand said.

A Rapidly Growing Market
Cyber insurance was due for a fight like this. Property, commercial general liability and other long-established insurance policies have well-honed language that’s been worked out through many lawsuits. “Cyber doesn’t have that history,” said Inga Goddijn, who is executive vice-president of insurance at Risk Based Security, a risk management consultant and data provider. 
     “It’s been around only for 20 years,” she said, “and widespread for 10 to 15—if it even is widespread. And the language that is used in cyber policies does not have the track record, or the lawsuit process, for a public interpretation of what the terms and conditions of the policy might mean.”  
     Over 90 percent of large public companies now have some cyber insurance. Yet, overall, just 30-45 percent of U.S. companies do. “In the middle-size markets, not even 50 percent of companies have it,” said Austin Morris, Jr. of Morris Risk Management, who has brokered cyber insurance since 2008. In time they will. “The local barber shop that doesn’t have any records and takes cash doesn’t need cyber coverage. Every other business does,” he said.
     This intensifying demand for cyber insurance has sparked a rush to supply it. More than 90 insurers now offer cyber policies, Morris said. (Insurance Journal headline: “Cyber Insurance: Many Choices Now That There Is No Choice.”) Claims are picking up. U.S. cyber insurance policyholders filed 9,017 claims in 2017, twice as many as in 2016, according to A.M. Best, the insurance ratings and data publisher.
     In insurance terms, a worldwide, innovative cyberattack “is arguably more damaging than a nuclear bomb, because [a bomb is] confined geographically,” said Klehr Harrison’s Rand. “[A cyberattack] could have ripple effects across other lines of insurance. It could crush a time-tested company like Zurich.”
     Researchers at both the RAND Corporation and the Carnegie Endowment have recently published papers detailing concerns about underwriting in the cyber insurance market, the rapid expansion of cyber perils, and how an avalanche of simultaneous, massive damage claims might wipe out many insurers and reinsurance carriers.

The Stakes Are High
There’s a lot of pressure on Zurich. Michael Levine, an insurance coverage partner at Hunton & Williams, said that the insurer has the burden to prove that NotPetya was an act of war. The governments that blamed Russia didn’t provide any evidence—they used a simple “name and shame” tactic. Will Zurich subpoena the U.S. director of national intelligence to provide evidence?
     Levine said that if the case doesn’t settle first, initial arguments likely will focus on the clarity or ambiguity of the exclusion’s phrasing. If the judge lets Mondelez move forward with the case because the wording doesn’t clearly exclude a cyberattack, discovery about the drafting of the policy will start. Mondelez “certainly will want to see, want to know, how many other claims [Zurich] had involving NotPetya. How many other war exclusions did it use?” Levine said. 
     Zurich is a top 10 cyber insurer , and is seeking to climb higher. Three months before denying Mondelez’s claim, the company’s chief group risk officer published an article on Zurich’s website that cited ransomware attacks like NotPetya as a reason to buy insurance: “Incidents that would once have been considered extraordinary are becoming more and more commonplace. … Examples included the WannaCry attack—which affected 300,000 computers across 150 countries—and NotPetya, which caused quarterly losses of $300 million for a number of affected businesses.”
     If this very cyber event is an impetus for buying Zurich insurance, argued Jordan Rand, “it can’t be that the act of war exclusion applies to it.” 
     Mondelez has some advantages in its case, but in the realm of cyber hostilities, the front lines keep shifting. With this lawsuit—the first high-profile denial of a cyber claim, on an issue that poses a very large risk to the entire insurance industry—Zurich has billions of reasons to push forward with its argument. Yet the possible payouts give it billions of reasons to avoid an unfavorable ruling.
     Good thing that Zurich is in the business of weighing risk.

Matt Fleischer-Black is a freelance journalist and a former senior reporter at The American Lawyer. He has worked for ProPublica, The National Law Journal, The New York Observer and The Village Voice. He lives in New York.