Law360

‘Act Of War’ Questions In Cyberattack Insurance Case

April 23, 2019

By Daniel B. Garrie and Peter Rosen

Recently, Mondelez International Inc. sued Zurich American Insurance Co. for denying coverage, under its cyber policy’s war exclusion, for Mondelez’s alleged over $100 million in losses caused by the NotPetya ransomware attack in 2017. This case has the potential to make a significant impact on the cyber insurance market as it is the first time the war exclusion has been litigated in the cyber insurance context and highlights some key issues in applying traditional policy language to cyberattacks.

Does the war exclusion apply to cyberattacks? If so, can Zurich prove NotPetya came from a state actor given the challenge of attributing cyberattacks?

Mondelez was one of dozens of companies to suffer damages during the global NotPetya ransomware attack in 2017. The attack caused $10 billion in damage, according to the U.S. Department of Homeland Security.

Mondelez submitted a claim under its cyber policy with Zurich that covers “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.” The policy also covered nonphysical losses and expenses caused by the failure of “electronic data processing equipment or media to operate” due to malicious cyber damage.

To read the full article, go to Law360