updated on 18 February 2020
QuestionWhen does a cyber-attack become an act of war?
An open question in the cyber insurance market is whether a cyber-attack can be construed as an act of war and, if so, what implications this has for both insurers and businesses wanting to insure against losses caused by cyber-attacks.
There have been two key examples relating to the way that insurers treat cyber-attacks: the first is the 2018 cyber-attack on the Marriott hotel group, which resulted in up to 500 million guests' data being accessed and a large insurance payout; and the second is snack company Mondelez's losses caused by a global cyber-attack and resulting in Mondelez suing its insurers in the US for refusing to reimburse Mondelez's losses.
The Marriott hotel group announced in November 2018 that it had been subject to a cyber-attack. The group's databases had been being hacked, with millions of guests’ records improperly accessed by the perpetrator. The group held insurance that covered cyber breaches and privacy liabilities and has since received over $100 million towards the expenses that arose out of the incident.
This is a far cry from the position in which Mondelez International finds itself. The global food brand was significantly affected by the NotPetya cyber-attack in 2017. The business' laptops and emails froze and its logistics software crashed. Following weeks of remedial action, Mondelez recovered its systems. After suffering losses in excess of $100 million as a result of NotPetya, Mondelez turned to its insurers, Zurich, only to find that the latter is relying on a 'war' exclusion clause in its policy to avoid reimbursing the losses.
Act of 'war'?
Both the cyber-attacks suffered by Marriott and Mondelez were likely started by state-backed attackers. The Marriott data breach has been widely reported as the responsibility of Chinese state-backed hackers, but the cyber-insurance policy held by Marriott has reimbursed the hotel group for a large portion of its losses. Conversely, the NotPetya attack originated in Russia and has been tied to Russia's conflict with Ukraine. It is this state link that Zurich has used to rely on the 'war' exclusion in its policy wording.
Zurich claims that it is not liable to reimburse for "loss or damage directly or indirectly caused by or resulting from … hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].” Mondelez is now in the process of suing Zurich in the Illinois court. The court must now decide whether cyber-attacks are an act of war, a decision which, although immediately landing in the US, may set a direction of travel in the global cyber-insurance market.
Marriott had specifically purchased a cyber insurance product, whereas Mondelez is claiming that its losses fall under an all-risk property insurance product. There are divisions in the insurance market for different products and there are specific insurance markets for cyber activities, for war and for criminal activity. It could therefore be argued that if Mondelez had wanted to ensure that it was covered for the type of losses caused by NotPetya, it should have taken out a specific cyber policy.
The US case Mondelez v Zurich is understandably being watched with interest around the world, as should insurers be able to successfully rely on the 'war' exclusion, businesses could be left exposed to risks if they come under a cyber-attack stemming from a government or state (or an agent or third party acting on behalf of a government or state). Not only would this undermine the cyber insurance market globally, it also raises the issue of insurance cover being dependent on who a business is hacked by. Different insurance outcomes could result from a cyber-attack by opportunistic criminals as opposed to state-controlled hackers, even though the virus and subsequent losses could be identical. There may be interesting questions as to whether – and if so how – insurers will be able to prove the origin of the attack to the satisfaction of the court. But none of this would be helpful to businesses purchasing insurance products, who require certainty that should they be targeted, their losses are covered so that they do not themselves the victims of collateral damage in an invisible cyber-war. Such uncertainty would also be unhelpful to insurers who want their potential customers to have confidence about the protection they are buying.
For insurers, insureds and brokers alike, careful thought should be given to act of war exclusions in the context of cyber-attacks, both in specialist cyber policies and when covering other risks.
Andrew Parsons, Katie Simmonds and Jenny Gibbs are solicitors at Womble Bond Dickinson. They focus on technology and privacy issues.