In January, I offered my view on Zurich’s invocation of an ‘act of war’ exclusion to deny coverage for Mondelez International’s losses caused by NotPetya. And made a funny joke about Oreos in the process. You’re welcome. More recently, I was interviewed by Matt Fleischer-Black for CyberInsecurity News on the same subject, and Matt suggested that his research revealed that Sony’s claims were covered by AIG following the 2014 ‘The Interview’ hack. That got me thinking – if AIG covered Sony’s losses, is there a difference between Sony’s AIG policy and Mondelez’s Zurich policy?
Sony reportedly had an AIG CyberEdge policy in place when the “Guardians of Peace” hacked into Sony’s network in November 2014. The GOP locked employees computers with a very scary image and threatened to release Sony’s data about unreleased movies and confidential business issues. They also threatened “9-11 style” attacks at theatres that showed Sony’s “The Interview,” a comedy about two reporters sent to assassinate North Korean Supreme Leader Kim Jong Un. The CIA identified the GOP as North Korean state actors, and President Obama enhanced sanctions against North Korea.
I don’t have Sony’s actual AIG policy. I did, however, find a sample AIG CyberEdge policy that would have been in use during Sony’s April 2014 -April 2015 policy term. Like Mondolez’s Zurich policy, it contains an ‘Act of War Exclusion.’ The AIG policy bars coverage “arising out of…war, invasion, military action…political disturbance, civil commotion, riot, martial law, civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, military or usurped power…”.