Ride the Lightning

Is Insurance Coverage for Cyber Claims Barred by a War Exclusion?

July 9, 2019

The International Association of Privacy Professionals (IAPP) recently carried an article by our friend Judy Selby and Peter McLaughlin entitled "Is Insurance Coverage for Cyber Claims Barred by a War Exclusion?"

As they point out, insurance coverage disputes typically aren’t front-page news events, but two recent case filings made headlines in legal, insurance and even mainstream news outlets. The cases involve claims by corporate giants Mondelez International and Merck for losses each company sustained as a result of being infected with the ransomware NotPetya.

Many firms suffered "collateral damage" from the NotPetya attack. Entire networks had to be shut down to prevent further spread of the malware. It may well have taken days to segregate, inspect, cleanse and restart priority systems, then weeks before less critical applications and communications of affected firms were functioning. Mondelez and Merck looked to their insurers for compensation.

According to Mondelez’s complaint against Zurich American Insurance Company, its insurance policy provides coverage for “all risks of physical loss or damage” to Mondelez property, including instances of “physical loss or damage to electronic data, programs, or software … caused by the malicious introduction of a machine code or instruction." Under its policy, Mondelez said it incurred insured losses well in excess of $100 million. Mondelez alleged that Zurich denied coverage based on a policy exclusion “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”

In its complaint against more than 20 insurers, Merck alleged that it experienced a “network interruption event … resulting from a malware infection, which involved the destruction, distortion or corruption of its computer data, coding, program or software resulting from malware presented as ransomware.” The event allegedly “led to extensive disruption of Merck’s worldwide operations” and adversely affected Merck’s sales. Merck claims that its losses “exceed the deductibles or attachment points” of all the insurance policies at issue and that the defendants reserved the right to deny coverage based on their policies’ war exclusions.

This is where much of the world got confused. The policies at issue with both Mondelez and Merck are property policies. The claims involve cyber events, but the policies are not privacy or network security insurance policies. In fact, Merck notes in its complaint that it has received payment for its NotPetya claim under its cyberinsurance policies, saying that its cyberinsurers “have been making payments to Merck or otherwise have not contested their coverage obligations.” That is consistent with recent statements by a leading cyberinsurance broker that cyberinsurers have not denied claims based on a war exclusion.

So the initial reports were wrong. But there was a lot of concern that cyber incidents involving state actors would not be covered in vast numbers under cyber policies, which often contain a war exclusion because of the extensive role of state actors.

While cyberinsurance holders should take comfort in the fact that their providers appear to be covering alleged state-sponsored events, here are some strategies companies can consider to mitigate the risk that a cyberinsurer will deny a claim based on a war exclusion.

Avoid it. Some cyberinsurance policies do not contain a war exclusion. All other things being equal between two cyberinsurance policy forms, a policy that doesn’t contain the exclusion may be the better option.

Negotiate for removal. Today’s cyberinsurance market is “soft,” meaning competitive among insurers. You may be able to negotiate for more favorable terms, including the removal of exclusionary provisions.

Limit it. An insurer that refuses to remove a war exclusion may be willing to add an exception to the exclusion for certain types of cyber events that affect the computer network of the insured or its third-party service providers.

Modify it. Some insurers reportedly are willing to modify their war exclusions by adding the term “kinetic,” with the goal of limiting application of the exclusion to the traditional “bullets-flying” warfare.

Get it in writing. Ask the insurer for written assurances that it will not rely on the war exclusion to deny at least certain types of claims.

This is all great advice. Our experience is that very few law firms or other entities understand their insurance policies. In fact, many brokers do not understand the policies, particularly as they apply to cyber events. But by using the pointers above, you may be able to take away the risk that an insurer will ever point to a war exclusion clause to deny coverage.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:    Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson