When Cyberattacks Are Acts of War, WIll Insurance Protect You?
As state-sponsored or politically motivated cyberattacks increase, companies in the domestic critical infrastructure sector may find themselves without insurance coverage to cover the costs of detection, investigation, response or rebuilding. This is because most insurance policies—including most cyberinsurance policies—expressly exclude actions that constitute an “act of war” from coverage. While these exclusions have been applied to destruction and losses in a typical war zone like, for example, Eastern Ukraine, they may apply equally to damages or losses in Chicago, Illinois.
Mondelez International is a Chicago-based manufacturer of confections and snacks which includes the astronaut’s favorite drink, Tang, and other familiar brands like Cadbury chocolates, Oreo cookies (in all their varieties), Ritz crackers, Triscuit crackers and Swiss chocolate Toblerone. In 2017, Mondelez’ servers were infected by the NotPetya virus, and the company suffered both direct and indirect damages and losses of over $100 million. They filed an insurance claim against their carrier, Zurich American Insurance, claiming that their “all-risk” property insurance covered both the sweets company’s direct losses and its indirect expenses. The policy language indicated that it covered:
“… physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction … [and] Actual Loss Sustained and [extra expense] incurred by the Insured during the period of interruption directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate [resulting from malicious cyber damage].”
However, the policy also included an “act of war” exclusion, excluding coverage for any “loss or damage directly or indirectly caused by or resulting from … [a] hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].”
In February of 2018, the White House released a statement that simply said:
“In June 2017, the Russian military launched the most destructive and costly cyberattack in history. The attack, dubbed “NotPetya,” quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyberattack that will be met with international consequences.”
The NotPetya cyberattack was unleashed through a software update on a Ukrainian taxpaying platform. Mondelez, like other U.S. companies, was likely infected because it had a Ukrainian subsidiary that used the platform. Starting this week, a jury in Chicago began to hear evidence in the case to determine whether the “act of war” exclusion meant that the carrier did not have to pay for the sweets company’s losses.
Cyberattack Attribution and Motivation
Act of war exclusions are used to deny coverage for acts that typically occur on or near a battlefield or in a war zone. If a Triscuit factory in Donesk was bombed by a Russian drone, this would clearly be excluded from ordinary insurance damage policies under the hostile action exception.
But cyberwar and cyberattacks are different. First, they are much more difficult to attribute, particularly if the victim of the attack is not the intended victim or is a collateral victim of the attack. Unlike a “wayward” missile, a company may be significantly downstream from the intended target of a cyberattack. Does the exclusion apply to any entity impacted by conduct which, if directed at an insured would be excluded? Second, there is the problem of attribution, or the failure thereof. While the U.S concluded that the Russians (or at least some sector of the Russian government) were responsible for NotPetya, Kremlin spokesman Dmitry Peskov in 2018 disavowed any such connection, calling the charges that Russia perpetuated the attack “unsubstantiated and groundless,” and part of a “Russophobic campaign that is not based on any evidence.” Of course, that’s exactly what you would expect them to say. Third, there are many attacks that might constitute a “hostile or warlike action” that may not be attributable to state actors. Non-state actors, organized hacker groups, hacktivists, politically motivated threat actors and just plain criminals engage in cyberattacks and frauds that are either “hostile” or “warlike.” Indeed, any conventional hacking activity could be used in furtherance of a kinetic war. Does the exclusion prevent coverage because of the “hostility” of the threat actor? Because the result is “warlike?” Because the intent is to disrupt? What about spontaneous and destructive protests over sanctions regimes? Or hacking by civilians in retaliation for a government policy? You realize, of course, this means war!
In a similar case, New Jersey pharmaceutical giant Merck was also hit by the NotPetya malware and suffered losses of $1.4 billion, and their insurance carrier similarly used the identical “warlike action” clause to deny coverage. In January 2022, the New Jersey Superior Court denied the carriers’ motion for summary judgement, stating in part that:
“[B]oth parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks…Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
There is no doubt that the current conflict in Ukraine is a “war.” Just this past weekend, in response to a likely Ukrainian attack on a bridge linking Russia to Crimea, Russian state-sponsored hackers reportedly launched “killnet” attacks on websites and infrastructure related to U.S. airlines and airports. This represents a new front in the battlefield—civilian cyber infrastructure. Is the cost of recovery and reconstruction of these airport computers not covered by insurance because it was motivated as punishment/deterrence for the bridge attack?
In the future, cyberinsurance carriers will have to use much clearer language about what is, and is not covered by their policies, and whether traditional act of war doctrines can be applied to cyber attacks. They will have to address issues of motive, identity, methodology, attribution, evidence, and ;proportionality. Not all “warlike” action is the same. A person wearing a Russian army uniform who bombs a Toblerone store in Kiev may be commiting an act of war, but the same person doing the same thing in a Toblerone store on Michigan Avenue (even with the same motivation) may not be. Both are hostile actions. Both are war – like. Only one (IMHO) is an excluded “act of war.” Why? I’m not sure—it just feels that way.