“A Tale of Two Carriers – Disparate Views of War/Terrorism Exclusion”

In January, I offered my view on Zurich’s invocation of an ‘act of war’ exclusion to deny coverage for Mondelez International’s losses caused by NotPetya.  And made a funny joke about Oreos in the process.  You’re welcome.  More recently, I was interviewed by Matt Fleischer-Black for CyberInsecurity News on the same subject, and Matt suggested that his research revealed that Sony’s claims were covered by AIG following the 2014 ‘The Interview’ hack.  That got me thinking – if AIG covered Sony’s losses, is there a difference between Sony’s AIG policy and Mondelez’s Zurich policy?

Sony reportedly had an AIG CyberEdge policy in place when the “Guardians of Peace” hacked into Sony’s network in November 2014.  The GOP locked employees computers with a very scary image and threatened to release Sony’s data about unreleased movies and confidential business issues.  They also threatened “9-11 style” attacks at theatres that showed Sony’s “The Interview,” a comedy about two reporters sent to assassinate North Korean Supreme Leader Kim Jong Un.   The CIA identified the GOP as North Korean state actors, and President Obama enhanced sanctions against North Korea.

Image result for guardians of peace interview hack

I don’t have Sony’s actual AIG policy.  I did, however, find a sample AIG CyberEdge policy that would have been in use during Sony’s April 2014 -April 2015 policy term.  Like Mondolez’s Zurich policy, it contains an ‘Act of War Exclusion.’  The AIG policy bars coverage “arising out of…war, invasion, military action…political disturbance, civil commotion, riot, martial law, civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, military or usurped power…”.

Did the act of war exclusion bar coverage for a reportedly North Korean cyber attack that threatened “9-11 style” violence in retaliation for a movie about the assassination of its most powerful political leader?  Nope.  Sony reported that AIG covered its claim, which some estimate approached $100 million.  President Obama agreed that the GOP hack was not an “act of war.” “I don’t think it was an act of war,” he told CNN. “I think it was an act of cyber vandalism that was very costly, very expensive.”

“Cyber vandalism.”  New words.  What do they mean?  And what’s the difference between “cyber vandalism” and “cyber terrorism,” or actual terrorism?

Zurich apparently does not believe that there is any difference.  The FBI believes that the Russian military launched NotPetya as an act of aggression against Ukraine.  Its propagation across hemispheres and the concomitant billions of dollars of global damages was, well, a happy accident.  Certainly, ‘The Interview Act’ seems closer to an act of war or terror as we’ve historically understood that language than does the NotPetya event that had no political motivations or threats of physical violence as against the United States.  And if “cyber vandalism” is a new risk entirely, one not barred by traditional act of war exclusions, NotPetya seems like a good place to start defining its scope.

AIG’s coverage position may not be rooted solely in a different interpretation of the exclusion.  ‘The Interview Hack’ involved one claim.  NotPetya affected thousands of American companies.  So, an economic analysis, at least in part, may be driving Zurich to use Mondelez as a test case.  Absent settlement, the case is poised to make important precedent.  Looking at how Zurich, AIG and other carriers have interpreted comparable exclusions under similar circumstances – thereby establishing a “custom and usage” – should be a significant part of the analysis.  Verizon reported that nation state driven cyber events comprised 12% of compromises in 2018, and I’ve seen estimates as high as 50% of breaches as attributable to nation state actors.  If nation states are this substantial a threat actor, and if Zurich is permitted to deny coverage based on the act of war/terror exclusion, many insureds will have purchased significantly less valuable coverage than they had believed.  This would be precisely the narrative that the cyber market has been trying to avoid as premiums reach as estimated $5 billion annually.

So, as De La Soul once said, the “stakes is high.”