Big firms think insurance covers cyber attacks, but they may be wrong

A confectionery plant operated by Mondelez International in Ukraine. Mondelez had hoped that insurance would cover the losses it suffered when it was hit by the NotPetya cyberstrike in 2017, but its insurer cited a common, but rarely used, clause in
A confectionery plant operated by Mondelez International in Ukraine. Mondelez had hoped that insurance would cover the losses it suffered when it was hit by the NotPetya cyberstrike in 2017, but its insurer cited a common, but rarely used, clause in insurance contracts - the "war exclusion". Mondelez's loss was deemed collateral damage in a cyberwar.PHOTO: BLOOMBERG

LONDON • Within days of a cyber attack, warehouses of snack food company Mondelez International filled with a backlog of Oreo cookies and Ritz crackers.

Mondelez, owner of dozens of well-known food brands such as Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the NotPetya cyberstrike in 2017. Laptops froze suddenly as Mondelez employees worked at their desks.

E-mail was unavailable, as was access to files on the corporate network. Logistics software that orchestrates deliveries and tracks invoices crashed.

Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and computer equipment was replaced, its financial hit was more than US$100 million (S$136 million), according to court documents.

After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought.

Zurich Insurance, Mondelez's insurer, said it would not be sending a reimbursement cheque. It cited a common, but rarely used, clause in insurance contracts - the "war exclusion", which protects insurers from being saddled with costs related to damage from war. Mondelez's loss was deemed collateral damage in a cyberwar.

The 2017 attack was a watershed moment for the insurance industry. Since then, insurers have been applying the war exemption to avoid claims related to digital attacks.

UNEXPECTED

You have insurers who are sitting on insurance policies that were never underwritten or understood to cover cyber-risk. Zurich didn't underwrite the policy with the idea that a cyber event would cause the kind of losses that happened to Mondelez. Nobody is at war with Mondelez.

'' MR SCOTT KANNRY, chief executive of risk assessment firm Axio Global, on the closely watched Mondelez case.

In addition to Mondelez, pharmaceutical giant Merck said insurers had denied claims after the NotPetya attack hit its sales research, sales and manufacturing operations, causing nearly US$700 million in damage.

When the United States government assigned responsibility for NotPetya to Russia last year, insurers were provided with a justification for refusing to cover the damage.

Just as they would not be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network.

The disputes are playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court. Merck also filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption.

The two cases could take years to resolve. The legal fights will set a precedent about who pays when businesses are hit by a cyber attack blamed on a foreign government.

The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming and shaming state sponsors of cyber attacks, but now risk becoming enmeshed in corporate disputes by giving insurance firms a rationale to deny claims.

"You're running a huge risk that cyber insurance in the future will be worthless," said Dr Ariel Levite, a senior fellow at the Carnegie Endowment for International Peace, who has written about the case.

But he said the insurance industry's position on NotPetya is "not entirely frivolous because it is widely believed that the Russians had been behind the attack".

Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honouring an insurance policy that explicitly covers cyber events. The company added that it did not believe the war exemption clause fits the circumstances.

Zurich Insurance and Merck declined to comment because of the active litigation. But court documents, public filings and interviews with people familiar with cases provided details about the disputes.

Cyber attacks have created a unique challenge for insurers. Traditional practices - such as not covering multiple buildings in the same neighbourhood to avoid the risk of, say, a big fire - do not apply.

 
 
 
 

Malware moves fast and unpredictably, leaving an expensive trail of collateral damage. "It cuts across practically every type of business activity," Dr Levite said. The risk, he added, "can no longer be contained in this interconnected world".

Many insurance companies sell cyber coverage, but the policies are often written narrowly to cover costs related to the loss of customer data, such as helping a company provide credit checks or cover legal bills.

Mondelez argued that its property insurance package should cover the losses from the NotPetya attack. In court filings, Mondelez said its policy had been updated in 2016 to include losses caused by "the malicious introduction of a machine code or instruction".

The company lost 1,700 servers and 24,000 laptops. Employees were left to communicate through WhatsApp and executives posted updates on Yammer, a social network used by companies.

Damage from NotPetya spread all the way to Hobart, Tasmania, where computers in a Cadbury factory displayed ransomware messages that demanded US$300 in bitcoin.

Courts often rule against insurers that try to apply the wartime exemption.

After hijackers destroyed a Pan Am airliner in 1970, a US court rejected insurer Aetna's attempt, determining that the action was criminal and not an act of war.

In 1983, a judge ruled that Holiday Inn's insurance policy covered damage from the civil war in Lebanon.

In the Mondelez and Merck lawsuits, the central question is whether the government's attribution of the NotPetya attack to Russia meets the bar for the war exclusion.

Risk industry experts say cyberwar is still largely undefined. Attribution can be difficult when attacks come from groups with unofficial links to a state and the blamed government denies involvement.

Mr Jake Olcott, vice-president at BitSight Technologies, a cyber-risk adviser, said: "We still don't have a clear idea of what cyberwar actually looks like. That is one of the struggles in this case. No one has said this was an all-out cyberwar by Russia."

In the past, US officials were reluctant to qualify cyber attacks as cyberwar, fearing the term could provoke an escalation.

Former US president Barack Obama, for example, was careful to say the aggressive North Korean cyber attack on Sony Pictures Entertainment in 2014, which destroyed more than 70 per cent of Sony's computer servers, was an act of "cyber vandalism".

That label was sharply criticised by then Senator John McCain and Senator Lindsey Graham, who called the hack a "new form of warfare" and "terrorism".

The description of the Sony attack was deliberate, said Mr John Carlin, assistant attorney-general at the Justice Department at the time.

In an interview, he said the Obama administration had worried, in part, that using the term "cyberwar" would have triggered the liability exclusions and fine print that Mondelez is now challenging in court.

Mr Scott Kannry, chief executive of risk assessment firm Axio Global, said the insurance industry is watching the Mondelez case closely because many policies were created before cyber attacks were such an urgent risk.

"You have insurers who are sitting on insurance policies that were never underwritten or understood to cover cyber-risk," he said. "Zurich didn't underwrite the policy with the idea that a cyber event would cause the kind of losses that happened to Mondelez. Nobody is at war with Mondelez."

Many insurance companies are rethinking their coverage.

Since the lawsuits were filed, Ms Shannan Fort, who specialises in cyber insurance for Aon, one of the world's largest insurance brokers, has been fielding calls from companies scrambling to be sure they will be safe if attacked, she said.

"I don't want to scare people but if a country attacks a very specific segment, such as national infrastructure, is that cyber terrorism or an act of war?" she asked. "There is still a bit of grey area."

Mr Ty Sagalow, former chief operating officer at insurance giant AIG, helped pioneer the market for cyber-risk insurance nearly two decades ago.

Insurers risk abusing the war exclusion by not paying claims, he said, particularly when an attack "can hit companies that were not the original target of violence".

Collateral damage from attacks that get out of control is going to become more and more common, he added.

"That is what cyber is today," Mr Sagalow said. "And if you don't like it, you shouldn't be in the business."

NYTIMES

A version of this article appeared in the print edition of The Straits Times on April 20, 2019, with the headline 'Big firms think insurance covers cyber attacks, but they may be wrong'. Print Edition | Subscribe