A new report from GlobalData says that cyberattacks from Russia could be set to cause more disputes between businesses and insurers following the Zurich-Mondelez case.
The firm said in its 2022 UK SME Insurance Survey that 9% of SMEs in the UK that purchased cyber insurance in 2022 said the Russia-Ukraine conflict was a key trigger for their purchase. According to the company, nearly one in 10 SMEs that bought cyber insurance in 2022 did so as a precaution against the Russia-Ukraine conflict.
Ben Carey-Evans, senior insurance analyst at GlobalData, said: “While it ranked behind several other key factors, businesses that cited this factor will certainly expect to be paid out if they are victims of a cyberattack for this reason”.
The leading factors were increased working from home during the pandemic (27%) and media reports about cyberattacks (26%).
Carey-Evans added: “It is critical that insurers are very clear over what is and is not covered, as a stream of high-profile cyber legal cases would be very damaging for the industry – especially following the recent business interruption cases arising from the pandemic. Such cases would risk increasing the view that insurers look to get out of paying claims, which will make retaining customers even harder than it is already due to the cost-of-living crisis.”
In a recent high-profile case, Zurich and Mondelez International (owner of Cadbury) agreed a settlement of $100m following a legal dispute over whether Zurich could avoid paying out a cyber claim over a war exclusion. The cyberattack attributed to Russia took place in 2017, after the annexation of Crimea in 2014.
Zurich had denied claims from Mondelez on the grounds that the NotPetya attack, which initially targeted Ukrainian organizations, had been a state-sponsored attack by Russia and therefore fell under its act of war exemptions.
Firms such as Mondelez were considered to have taken collateral damage as the malware spread beyond its initial targets, with Mondelez claiming to have incurred $100 million of damages after having 24,000 laptops and 1,700 servers wiped out on its network.
Believing this represented clear physical loss or damage under its cyber insurance policy, Mondelez therefore brought a lawsuit against Zurich to contest the interpretation of its war exemptions.
Carey-Evans added: “The resolution of the case could create a legal precedent that means insurers will have to pay out on claims coming from Russia going forward. However, the escalation of the conflict since this attack happened could strengthen insurers’ arguments for ‘act of war’ exclusions for future cases.”
