Multinational companies that have been purchasing cyber insurance policies to cover themselves in case of malware attacks and cyber hacks might want to read the fine print in their policies. In what is shaping up to be a major test case for the entire cyber insurance industry, Zurich American Insurance Company is refusing to pay out a $100 million claim from consumer packaged goods company Mondelez, which was one of the biggest victims of the infamous NotPetya ransomware attack in June 2017. Zurich says the NotPetya ransomware attack was actually an act of “cyber war,” and therefore, is not covered by the policy.
What the cyber insurance policy was supposed to cover
According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” Given the plague of data breaches and network security attacks at major companies around the world, the language in the cyber insurance policy was specifically designed to be broad and general enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.
Thus, the case would seem to be a relatively easy one of simply totaling up all the damage that resulted from the NotPetya ransomware attack, filing a cyber risk insurance claim, and waiting for Zurich American Insurance Company to pay out that claim (or a portion of that claim). That’s exactly what Mondelez did – it came up with the figure of $100 million as the total damages resulting from the loss of 1,700 servers and 24,000 laptops, as well as the loss of thousands of user credentials, unfilled orders and other related economic losses from the security breach.
Zurich uses “act of war” clause to avoid paying claim
Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But now Zurich is digging in its heels and stating that it won’t pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is off the hook for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize Ukraine. This is what Zurich has in mind when it uses the “cyber war” excuse to get out of paying the claim.
To back up its case, Zurich American Insurance Company points to the official statements of national security officials from the UK, Canadian and Australian governments, all of which blamed Russia for the cyber attack in February 2018. Even the White House in the United States chimed in, saying the cyber attack was part of Kremlin efforts to destabilize the Ukrainian government. Moreover, all of these Western governments specifically noted that the first NotPetya attack occurred in Ukraine before spreading out around the world to impact companies like Mondelez.
Implications for the cyber insurance industry
Mondelez, understandably, is outraged at what is happening. Company executives called Zurich’s actions “unprecedented,” and insurance industry insiders say that Zurich’s actions could set a “nasty new precedent” about what cyber insurance covers. In short, any time there is a cyber attack or data breach, an insurance company offering cyber insurance can simply claim that it was due to an “act of cyber war,” and reject the claim.
For now, the momentum appears to be in favor of Mondelez. The convention here is that the burden of proof falls on the insurance company. Thus, Zurich will have to prove that NotPetya was, indeed, an act of cyber war. And that could prove harder to establish than one might imagine. It is notoriously difficult to trace back the origin of any hacker attack of any computer system, and even the coordinated diplomatic move by the UK and its allies to blame Russia for the attack might not hold up in the courts. After all, while intelligence agencies blamed Russia for the attacks, they provided no proof of an attack.
From the perspective of the cyber insurance industry, one major problem is the escalating size and scope of these cyber attacks. According to cyber experts, the total cost of the ransomware cleanup related to NotPetya alone was close to $80 billion. To put that into perspective, that’s more than the total cost of the epic 2012 Hurricane Sandy disaster. It wasn’t just Mondelez that was left reeling by the cyber attack – shipping giant Maersk projects that its total losses were close to $300 million, while global logistics giant FedEx says that its losses were also in the neighborhood of $300 million.
So just imagine what would happen if the world’s top insurance companies are suddenly faced with the prospect of “once in a lifetime” events on the scale of Hurricane Sandy happening every few months. It has the potential to bring down the entire insurance industry, or at least, the cyber insurance industry. Just as some insurers refuse insurance policies for homeowners located right in the middle of hurricane or earthquake zones, they might soon start refusing to write cyber insurance policies for large organizations that deal with personal data and information.
Re-thinking the concept of cyber war
And, more widely, the whole Mondelez vs. Zurich insurance company case raises the question of what exactly “cyber war” really is. Would it cover Chinese hackers breaking into Pentagon computers and the computer systems of major U.S. defense contractors? Would it cover attacks by anonymous hackers on the U.S. power grid and other critical infrastructure? Would it cover cyber attacks on the nation’s financial system, including attacks on credit card or credit monitoring companies? Arguably, all of these could be labeled an act of “cyber war.”
One thing is certain: the world of cyber security is changing much more quickly than policies, regulations and insurer products can keep up with. Zurich’s refusal to pay for losses from the ransomware attack, claiming it was an act of cyber war, should be a warning signal to small businesses and multinational companies that, in the event of a major cyber attack, they will need to have the proper risk management defenses already in place to protect them. They can no longer count on insurance companies to bail them out.