This is a big-time case that has a lot of implications for the cyber liability insurance market. Whether you’re an insurer, an agent a broker, or even a company with cyber insurance, this case really has a lot to do with your future coverage.
This case comes from an article from Cyberscoop about a dispute over whether coverage applies to a certain malware cybersecurity issue.
What happened is, Mondelez which is a major company, had an attack that caused $10 billion in damages globally and on other computer networks besides its own. The insurance provider claimed that an act of war exemption mitigated the claim; meaning that there was an exclusion in the cyber insurance policy for an act of war, they don’t cover cyber attacks that have to do with an act of war.
So the insurance company said this particular attack came from Russian military hackers and it was against Ukraine and that it spread around the world and got into Mondelez computers. Well, the claim was denied. Mondelez took the case to court and they claim that it was not an exclusion under their policy, but they were collateral damage in a much larger cyber conflict that had nothing to do with them. And they settled, so they basically won.
The article says “last week’s ruling makes insurance companies have to rethink what an act of war means. Current definitions come out of the 19th century when we had pirates navies and privateers”. So you’re going to find that in any kind of coverage, not just cyber coverage, there are often exclusions on a policy for acts of war. It’s a broad coverall-type exclusion. Well, an insurance company can claim that a particular hack or ransomware has to do with a war action and it could be broadly construed based on you know the fact that if the hackers were part of a military that could be an act of war.
Even though this ruling may not be binding as a precedent, it’s certainly an indication of how judges and juries might view the insurance company’s perception of an act of war. It may not result in insurance companies stopping trying to make this exclusion in other cases, but at least they will shift the strategy to writing exclusions. And maybe changing it to “war-like acts” instead of acts of war. The main thing to keep in mind is that there is a lot of overlap between military action, wars, conflicts, and cyber attacks. And if your policy has that exclusion, you want to make sure that your coverage matches what you’re expecting from your insurance company. Either way, this ruling starts to define some of the boundaries of what is an act of war on cyber insurance and what is still covered under the policy language.