A significant cyber insurance claim related to the Petya / NotPetya malware attack is being disputed by insurer Zurich, as the policy language includes an exclusion for hostile acts by sovereign actors.
The NotPetya ransomware, a variation of Petya, hit companies around the world, interrupting their business through systems being out of action and resulting in a significant cyber insurance loss, both affirmative and from so-called silent cyber impacts as well.
According to Property Claim Services (PCS), the total insurance and reinsurance industry loss from the Petya / NotPetya cyber attack has surpassed $3 billion, with around 90% driven by silent cyber impacts and the remainder from affirmative losses to specific cyber insurance contracts.
One of these cyber insurance claims is now in dispute, according to an article by Robert Stines, an expert in cyber law and a partner at law firm Freeborn & Peters LLP.
Stines explains that Mondelez International Inc., the global food manufacturer and brand owner, was affected by the NotPetya malware and experienced impacts to its computer hardware and software systems as a result, with the effects ranging from property damage, to distribution disruption and the inability to fulfill orders.
Mondelez claimed on its corporate insurance policy, reporting losses of over $100 million to its business, Stines says.
The company is now suing Zurich for refusing to pay out for its claim in what will likely be the first serious legal dispute about recovering the costs of a cyber attack.
Stines explains that insurer Zurich underwrites a policy that provides Mondelez with coverage against:
“all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
The policy also provided coverage for loss or expenses incurred by Mondelez during the period of business interruption directly resulting from the failure of Mondelez’s electronic data processing equipment or media.
With this insurance coverage in-force at the time of the NotPetya malware attack, it would seem Mondelez could have been covered for its losses, but Stines goes on to explain that Zurich is disputing the claim due to a clause in the policy that excludes any “hostile or war like act” by any “government or sovereign power.”
NotPetya is widely viewed as having been a state-sponsored cyber attack, with Russia the sovereign being put forward as potentially being behind the malware.
Zurich declined to support the insurance claim as a result of the exclusions language and Mondelez has responded by suing the insurer.
Stines notes that cyber insurance policies that include exclusions for warlike or terrorism linked activity may not be as effective in a world where state-sponsored actors are often blamed for major cyber attacks and malware incidents.
He explains that the onus will be on Zurich to prove that the exclusion applies, but this is could also be a difficult task given the information to prove where the NotPetya malware actually came from could be a guarded state secret.
Stines’ article highlights a grey area in cyber insurance coverage that can affect both affirmative and silent coverages.
The $3 billion+ (the estimate is pegged at up to $3.3 billion in our data library of major industry losses) Petya / NotPetya industry loss is largely from silent cyber coverage, where corporates have been claiming on property insurance towers that provide business interruption coverage.
With over $2 billion of the loss set to come from one company in pharmaceutical giant Merck & Co., which experienced a $1.75 billion silent cyber loss and a $275 million affirmative cyber loss, it seems likely these policies did not include similar exclusions.
But this case highlights the importance of understanding your cyber coverage, especially where the role of state-sponsored actors could be the ultimate source of an attack or malware outbreak.