Extent of cover for ‘silent cyber’ losses - a novel approach

A coverage dispute involving Zurich in the US highlights the importance both for insurers and insureds of understanding the extent of cover under insurance policies for cyber losses.

Background

In the US, Zurich has declined an insured’s claim under a property policy for cyber losses by relying on a war exclusion.

Mondelez International Inc, a global food manufacturer and brand owner, is one of several companies affected by the NotPetya malware, which infiltrated 1,700 of its servers and 24,000 of its laptops, resulting in losses of more than USD 100m.

Mondelez sought to claim under an all-risk property insurance policy, which was underwritten by Zurich American Insurance Company and provided cover for “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs of software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” The policy also provided cover for loss or expenses incurred by Mondelez during the period of business interruption directly resulting from the failure of Mondelez’s electronic data processing equipment or media.

In a novel move, Zurich declined cover for the claim on the basis of an exclusion in the policy which excludes any “hostile or war like act” including “action in hindering, combating or defending against an actual, impending or expected attack” by any “government or sovereign power”. It is widely considered that the NotPetya malware was a state-sponsored cyber attack by the Russian government that was intended to target Ukraine but inadvertently spread globally. The declinature has triggered a coverage dispute in the Circuit Court of Cook County, Illinois.

Implications

With increasing frequency, cyber attacks could be attributed to government or state sponsored actors (another example being WannaCry), and have the potential to trigger this type of exclusion. We could, therefore, see insurers seeking to invoke war exclusions more frequently. In addition, depending on the factual background and the specific policy wording, insurers may start to be more imaginative in seeking to resist large cyber claims, particularly where the cover is so-called “silent cyber” cover, ie where a policy wording means that insurers inadvertently, and without pricing for it, find themselves potentially covering large cyber claims under non-cyber policies.

It remains to be seen how the US Courts will approach the application of this type of exclusion in the context of a cyber attack, or how that approach will translate into the English legal system. However, Zurich faces a potentially significant evidentiary problem, in that it has the burden of proving that the exclusion applies. Gathering evidence could be extremely difficult as it involves proving that NotPetya was a hostile or warlike act by Russia; such evidence is likely to be highly confidential and restricted as subject to state secrets.

This case highlights the importance of awareness of the extent of cover under standalone cyber policies and “silent” cover for cyber losses under other types of insurance, most commonly property insurance policies which provide business interruption cover. Insurers may wish to review their policy wordings, particularly in the case of non-cyber policies, in order to ensure that they are not providing cover for cyber losses they did not intend to provide.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.