The entire insurance industry is suddenly abuzz about the rarely discussed “war exclusion.” A standard provision in most policies that excludes claims caused by a hostile or warlike action in time of peace or war, usually by a military or a government/sovereign power, is all the rage. Why? The billions of dollars of damages caused by the NotPetya virus and insurers attempts to avoid paying them.
The NotPetya virus was released in 2017 apparently to attack accounting software in Ukraine, perhaps as an attempt to disrupt Ukraine’s supply network, but it quickly spread and caused collateral damage to a multitude of policyholders around the world. At first, insurers believed it was a criminal ransomware money making exercise, just like the Petya ransomware attacks in 2016. Now, insurers insist it was an act of war, because the virus looked like ransomware, but ultimately caused only destruction. The US and UK believe the Russian government or military was “almost certainly” behind the attack. Russia denies any involvement and points out that the virus spread to Russian commercial systems as well. No indictments have been filed and public information on the source of the attack is limited.
Not surprisingly given the stakes, coverage litigation over denials under the war exclusion for the NotPetya virus are brewing. A late 2018 lawsuit filed in Chicago revealed that Zurich was denying coverage under a property policy based on a “war exclusion” for $100 million in damages caused by the NotPetya virus. The policyholder, Mondelez International, maker of various essential food items, including Oreo cookies and Toblerone chocolate, did not realize it was at war with anyone when the virus wiped out thousands of its servers and laptops in June 2017. Likewise, it was recently reported that international law firm DLA Piper is apparently moving to sue Hiscox for coverage after a war exclusion denial. The law firm’s computer systems were badly impaired by the virus and allegedly required 15,000 hours of IT overtime to get back up and running.
The use of the war exclusion here seems quixotic and beyond the expectations of ordinary policyholders when purchasing their insurance program. Even brokers are dismayed and are openly discussing war exclusion denials as overreach (see “NotPetya Was Not a Cyber ‘War’” Marsh & McLennan Insights http://www.mmc.com/insights/publications/2018/aug/notpetya-was-not-cyber-war.html ). In most instances, insurers will bear the burden of proving that these circumstances fall under the war exclusion. As noted above, proving that the virus was released by a state actor as part of a hostile or warlike action is a serious hurdle.
Meanwhile, policyholders need to pay attention when renewing their insurance programs to make sure they are getting coverage for these potential cyber risks. The insurance industry is scrambling to change language in policies, so they do not have to prove up the requirements of the traditional war exclusion. Policyholders can expect to see the introduction of broader exclusions in non-cyber policies, such as general liability and first-party property policies. On the other hand, many cyber insurers may be willing to provide explicit cover for these types of claims or, at a minimum, negotiate a narrower war exclusion. Change is afoot!