“My Least Favorite Exclusion Challenged by Milk’s Favorite Cookie”

Welcome back.  Unless you never left, in which case you’re probably having a smoother morning than I am.  If you’re reading this, we’re both having better mornings than Mondelez International, Inc. had on June 27, 2017, when the company was hit by the NotPetya attack that rocked pretty much the whole world. Think you never heard of Mondelez?  It’s the snack food mega company that makes Ritz crackers, Cadbury chocolates and milk’s and my favorite cookie – the Oreo.

Refresher on NotPetya – most (including the CIA) believe this attack was propagated by the Russian military against Ukraine, where it is estimated that 50-80% of damage occurred.  Many believe that the spread of this malware – the fastest ever as of the time of the attack – to multinational and US corporations was not even intentional.  That didn’t stop it from causing an estimated $10 billion in damages to hospitals, banks, shipping companies and others worldwide.

Mondelez, though, has a Zurich insurance policy that specifically covers “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”  When NotPetya hit Mondelez, it permanently destroyed 1,700 servers and 24,000 computers.  Mondelez claims that it lost over $100 million in the form of property damage, commercial supply and distribution disruptions, unfulfilled customer orders and reduced margins.  Mondelez tendered a claim to Zurich, and Zurich wasn’t exactly sure what to do.

This is what everyone was afraid of, including me.  The cyberinsurance market has been growing at an exponential rate, but underwriting data is relatively limited compared to other risks and the consequences of an incident like NotPetya are potentially more substantial than any risk ever underwritten.  What happens when carriers sell millions, or even billions, of dollars of coverage and then the whole world suffers a giant cyber incident at one time?

Initially, Zurich denied coverage on the sole basis of an ‘act of war exclusion,’ which I’ve previously called into question in the context of any cyberinsurance policy here.  Zurich took the position that because the Russian military is believed to have launched NotPetya, the incident was a “hostile or warlike action” for which coverage is excluded.  Then Zurich allegedly changed its mind, offering to front $10 million in coverage while reserving its rights.  Then Zurich refused to pay anything and issued a second denial of coverage letter asserting of myriad of new grounds to deny coverage.  Not great facts for a carrier in any coverage litigation.

Certainly not in this context.  The reasonable expectations doctrine may not be at the forefront of every coverage opinion, but I’ve always believed that Courts try to employ it even if by another, and sometimes completely unrecognizable, name.  The doctrine simply requires the insurer to provide an insured with the coverage that the insured reasonably believed it had purchased.  Here, Mondelez recognized the severity of the cyber threat faced by large corporations and it had coverage in place.  It’s probably reasonable to believe that this coverage applies to one of the most significant cyber incidents ever.  And as to Mondelez, it would also be reasonable to believe that the attack was not an act of war for at least three reasons: (1) everyone loves Oreos; (2) there may never be definitive proof as to who or what launched the attack and for what purpose, all of which will be Zurich’s burden to prove; and (3) even if we accept that this was an attack by Russia against Ukraine, it doesn’t even appear to be an attack on the United States, where many believe the consequences were wholly unintended – I haven’t looked, but I’m hard-pressed to believe any carrier has ever excluded coverage on the grounds of an unintentional act of war.

This case is likely not the only of its kind in the wake of NotPetya, and its predecessor, WannaCry.  Coverage issues presented by these attacks highlight an important potential vulnerability in the cyber market.  As attacks increase in scope and effectiveness, it becomes more likely that many insureds will simultaneously suffer significant damages.  In this first round of coverage disputes concerning broad-scale attacks, it remains to be seen whether carriers can and will provide the coverage that customers reasonably believed they were buying.  In the mean time, make sure to specifically address coverage for large-scale attacks with your broker when buying or renewing coverage.  There are likely a number of ways to address these issues, and if there is not an available insurance solution for your particular circumstance, you’d rather find that out upfront than after a potentially company-crippling cyber attack.

Mondelez has filed suit in the Cook County Illinois Circuit Court, Docket No. 2018L011008.  Here’s Mondelez’s complaint.  Zurich has yet to respond.