Mondelez obtained a property insurance policy that covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.” Id. at 2. The policy also included coverage for losses and expenses incurred “during the period of interruption directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate.” Id. Understandably, Mondelez assumed that it was covered for the property damage, commercial disruptions, unfulfilled orders, and other losses that were a direct result of the “NotPetya” cyber-attack.
After close to a year of “adjusting” the claim, Zurich informed Mondelez that it was denying coverage pursuant to a single exclusion (“War Exclusion”):
B. This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
- (2) a) hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack by any:
- (i) government or sovereign power (de jure or de facto)
- (ii) military, naval, or air force; or
- (iii) agent or authority of any party specified in i or ii above.
Id. at 4. This application of a War Exclusion to a cyber incident is unprecedented, and frankly, astonishing. While experts have accused Russia of perpetuating the “NotPetya” malware (not ransomware), the source of the attack has not been confirmed. Far from a warlike action by a governmental power, “NotPetya” was a devastating attack that crippled companies across the globe with the types of damages and losses that Mondelez sought to insure.
To add insult to injury, Zurich adjusted this claim for close to a year, while forcing Mondelez to submit voluminous amounts of information and provide access to employees and consultants hired by Mondelez to substantiate the claim. See id. at 3. And when Mondelez disputed Zurich’s denial of the claim, Zurich offered and then refused to pay a $10,000,000 partial payment offer (10% of claim) and delayed the adjustment for another four months. See id. at 5-6. After over eighteen months, Zurich continues to hide behind this War Exclusion that it could have identified early in the adjustment process, which would have allowed Mondelez to file this lawsuit months ago. The facts surrounding the “NotPetya” attack remain the same, so this War Exclusion did not become more relevant over time. These delay tactics are common with the insurance carriers, as the longer the claim and dispute process takes, the better the chance to avoid paying the entire claim. We hope that Mondelez wins this legal battle, but Zurich appears to be digging in its heels.
Zurich’s reliance on a War Exclusion to deny a cyber claim is further evidence that insurance carriers continue to search for new and creative ways to avoid paying cyber-related claims. And because legislation and case law surrounding cyber insurance is just starting to be developed, this remains a lucrative game for the insurance carriers. A game where the carriers can stack the deck with pages and pages of exclusions, definitions, and conditions to avoid paying claims. Do not assume that you are covered for a cyber event because the insurance carriers will leverage novel legal arguments, delay tactics, and gamesmanship to ultimately deny the claim or at least reduce the payout.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.