The Art of (Cyber) War, Or How A Little Known Policy Exclusion Can Nullify Your Insurance Coverage
By Saad Gul and Michael E. Slipsky
In June 2017, the NotPetya virus crippled many large companies including Fedex, Merck, and Mondelez (the manufacturer of Nabisco, Cadbury, and Toblerone). The aggregated losses, including property damage, operational disruptions, and supply chain disruptions, added up to hundreds of millions of dollars per large corporation. The billion dollar question: who would bear this loss? A case in Cook County, Illinois, will provide at least a partial answer.
By way of background, companies mitigate the risk of losses through their Commercial General Liability (CGL) policy. The policy protects the company from extraordinary events. CGL policies generally offer coverage for bodily injury and property damage claims, but CGL policies did not protect against most cyber losses. Most insurance policies now specifically exclude coverage for such losses.
Corporations have responded by purchasing customized cyber liability coverage. Cyber insurance offsets the CGL cyber exclusion. Cyber policies specifically cover losses stemming from computer operations. Most combine traditional liability coverage protecting against third-party claims with first-party coverage that protect the insured.
Yet no insurance policy covers everything. And an escalating issue with cyber policies is that they exclude coverage for losses that stem from “acts of war.” For example, Mondelez’s insurer blamed Russia for NotPetya. Russia, which denied the allegations, was accused of targeting Ukraine with NotPetya. Mondelez was collateral damage. The insurer denied Mondolez NotPetya coverage based on a standard exclusion that said the policy would not cover losses for:
hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in (i) or (ii) above.
This verbiage is standard in CGL policies. But how would it apply in the cyber context? Even the baseline issue of whether a state of war exists can be disputed. Cyber warfare has no Fort Sumter, no Appomattox, no Congressional Declaration of War, and no signing ceremony on the Missouri. The United States recognizes and maintains diplomatic relations with Russia and China. Yet we are still technically at war with North Korea. Does that affect the coverage analysis? No court has decided yet.
Historically, courts have struggled with the war exclusion. For instance courts faced with the question of whether the Pearl Harbor attack invoked the exclusion split 50-50 on the issue. Compare New York Life Insurance v. Bennion, 158 F.2d 260 (10th Cir. 1946) and Stankus v. New York Life Insurance Co., 44 N.E.2d 687 (Mass. 1942) (exclusion applied) with Gladys Ching Pang v. Sun Life Assurance Co. of Canada, 37 Haw. 288 (1945) and Rosenau v. Idaho Mutual Benefit Association, 145 P.2d 277 (Idaho 1944) (exclusion did not apply).
But those cases involved stark undisputed facts. Grossly simplified, courts interpret “war” to require state action. But determining whether a particular cyber-attack results from state action is difficult. These difficulties are compounded by hackers’ ability to disguise the actual attack origination point by hijacking innocent third party machines. Attribution necessarily requires inferences and surmises. Hard evidence is rare. So for instance, while the media widely attributed the Sony hack to North Korea in the media, evidence for the connection was tenuous at best.
The evidentiary issues are exacerbated given that the motivation of the attackers is not always clear. Take a hypothetical attack, apparently originating from China. Is it the work of individual hackers or an intelligence unit? Is the intention to injure the United States as a nation or to gain a commercial advantage for a company? Were they acting under state orders or freelancing to make extra money?
Even if these questions could be answered, could a court do so? A litigant could subpoena members of the Intelligence Community and seek discovery of government assessments. It is unlikely to get far. Sources and methods are closely guarded. The government will be loath to share them in a court proceeding. These practical issues explain why bright line rules in this area are hard to come by.
This confusion causes problems for insureds. The availability of coverage is contingent on whether the losses resulted from an “act of war.” For example, Mondelez’s insurer struggled to handle the NotPetya claim. It ultimately determined the claim was excluded as an act of war. Yet it did not reach that determination without difficulty. Mondelez ultimately sued the insurer for breach of contract. The Complaint alleges that the insurer at first denied coverage. It then reversed itself, and then reversed itself yet again.
The Mondelez case will be closely watched as a signal of how courts will view “act of war” cyber coverage denials. Insurers have the burden to demonstrate than an exclusion applies. The war exclusion presents a particularly formidable evidentiary hurdle in the cyber context. Even so, the policyholder has the ultimate burden of establishing coverage. For that reason, policyholders and their brokers must be intimately familiar with applicable policy terms, conditions, and exclusions.
Policyholders should also consult with counsel. Not all exclusions are equal. Some can be offset with “riders.” Some riders may be worth the additional outlay. Others will not. All present traps for the unwary. After all, Mondelez may be the first corporation to sue for coverage over the war exclusion issue. It will not be the last.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.