Last month, Ariel Levite and Wyatt Hoffman called for urgent government action to support a robust cyber insurance market in a post on Lawfare. Their argument cited ongoing litigation in Mondelez International, Inc. v. Zurich American Insurance Co., in which Mondelez is asking an Illinois state court to determine whether a claim for losses Mondelez suffered during the 2017 NotPetya attack is precluded by a “hostile or warlike action” exception in its Zurich cyber insurance policy. This post provides a brief overview of the Mondelez complaint and explains the context of the suit.
NotPetya was a ransomware attack that was first spotted in Ukraine on June 27, 2017, and spread around the world in a matter of hours. NotPetya infected corporations from U.S. pharmaceutical firm Merck to Danish shipping stalwart Maersk, encrypting computer hard drives and demanding compensation to gain access to the data. Wired reported that worldwide damages likely exceeded $10 billion. At the time, the public did not know how the insurance industry would respond.
Mondelez provides a first glimpse into that response.
Mondelez International manufactures global snack brands, including Cadbury, Oreo, Ritz, Triscuits, Toblerone and Tang. It is among the 100 largest U.S. companies by market capitalization and reported almost $26 billion in net revenue in fiscal 2017. NotPetya infected two of its servers, and Mondelez estimates that the direct (computer damages) and indirect (supply and distribution disruptions) costs of the malware damage total over $100 million.
According to the complaint, which Mondelez filed in October 2018 in the Circuit Court of Cook County, Illinois, Mondelez filed an insurance claim for damages with Zurich American Insurance, on the grounds that its all-risk property insurance policy covered both the direct physical losses and the indirect expenses incurred during the period of the computer failures. Mondelez states the relevant policy language covered
physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction … [and] Actual Loss Sustained and [extra expense] incurred by the Insured during the period of interruption directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate [resulting from malicious cyber damage].
Mondelez states that Zurich denied the claim in June 2018 on the sole ground that the policy excluded “loss or damage directly or indirectly caused by or resulting from … [a] hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].”
Mondelez asserts that Zurich’s invocation of the “hostile or warlike action” exclusion to deny coverage for a malicious cyber incident is unprecedented and emphasizes that the burden of proof to show that an exclusion applies falls on the insurer.
Making the story more complex, the complaint asserts that Zurich “formally rescind[ed]” its denial of coverage in July 2018 in order to resume adjustment discussions and in October 2018 asserted new coverage defenses in what Mondelez asserts was “an improper effort to ‘mend’ its June 1, 2018 declination of coverage, which had consciously omitted any other possible grounds for denying coverage, thereby waiving them.”
The Case in Context
Zurich has not responded publicly, so we have yet to learn more about Zurich’s theory of the case. Most commentary has revolved around questions of how Zurich might in court attribute the NotPetya ransomware to a state actor. Recall that in February 2018, the U.S., the U.K., and other Five Eyes and NATO nations in a set of coordinated statements publicly attributed the NotPetya malware to the Russian government. The Mondelez case raises questions of whether a court may consider, and how it might weigh, the value of those government attribution statements.
Leonid Bershidsky at Bloomberg warned that if courts take government attribution at face value as a basis for excluding damages from policy coverage, the nascent cyber insurance market will be set back on its heels and businesses will suffer. Others have simply argued that NotPetya was not a “warlike” action for civil purposes, irrespective of the U.S. government’s public statements, and that it might better fit the definition of what President Obama once called “cyber vandalism.” Still others have argued that the case is an example of how private industry and courts need an independent panel of attribution experts, as Microsoft proposed in 2016, as public attributions of cyberattacks by governments do not include the underlying intelligence. Many of these views wryly note the shift to a world where every major insurer and insured must consider how the law of armed conflict might apply in cyberspace—an unenviable task, considering the universe of unresolved questions and the failure of the 2016-2017 United Nations Group of Governmental Experts to come to consensus.
It is too early to know what impact this case will have. Some observers have suggested that if Mondelez wins its court battle, private industry might finally see “a new market in cyberattack insurance overnight.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has long encouraged industry to establish a robust cybersecurity insurance market, with mixed results. The dominant view remains that the cybersecurity insurance market is immature compared to other insurance markets and the datasets necessary to understand and accurately price cyber risk are still underdeveloped.
The complaint provides the court with opportunities to avoid the merits question. But even if the Mondelez case fails to provide the “moment of truth” Levite and Hoffman argue for, other cases will certainly follow and the questions raised for private industry will continue to emerge and evolve.
(For those interested in following the case, status updates can be found here. Select the Law Division and enter Case Number 2018-L-011008.)