publications full of ideas

The Art of (Cyber) War, Or How A Little Known Policy Exclusion Can Nullify Your Insurance Coverage

12.17.2018

In June 2017, the NotPetya virus crippled many large companies including Merck and Mondelez (the manufacturer of Nabisco, Cadbury, and Toblerone). The aggregated losses, including property damage, operational disruptions, and supply chain disruptions, added up to hundreds of millions of dollars per large corporation. The billion dollar question: who would bear this loss? A case in Cook County, Illinois, will provide at least a partial answer.

By way of background, companies mitigate the risk of losses through their Commercial General Liability (CGL) policy. The policy protects the company from extraordinary events. CGL policies generally offer coverage for bodily injury and property damage claims, but CGL policies did not protect against most cyber losses. Most insurance policies now specifically exclude coverage for such losses.

Corporations have responded by purchasing customized cyber liability coverage. Cyber insurance offsets the CGL cyber exclusion. Cyber policies specifically cover losses stemming from computer operations. Most combine traditional liability coverage protecting against third-party claims with first-party coverage that protects the insured.

Yet no insurance policy covers everything. And an escalating issue with cyber policies is that they exclude coverage for losses that stem from “acts of war.” For example, Mondelez’s insurer blamed Russia for NotPetya. Russia, which denied the allegations, was accused of targeting Ukraine with NotPetya. Mondelez was collateral damage. The insurer denied Mondolez NotPetya coverage based on a standard exclusion that said the policy would not cover losses for:

hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in (i) or (ii) above.

This verbiage is standard in CGL policies. But how would it apply in the cyber context? Even the baseline issue of whether a state of war exists can be disputed. Cyber warfare has no Fort Sumter, no Appomattox, no Congressional Declaration of War, and no signing ceremony on the Missouri. The United States recognizes and maintains diplomatic relations with Russia and China. Yet we are still technically at war with North Korea. Does that affect the coverage analysis? No court has decided yet.

Historically, courts have struggled with the war exclusion. For instance courts faced with the question of whether the Pearl Harbor attack invoked the exclusion split 50-50 on the issue. Compare New York Life Insurance v. Bennion, 158 F.2d 260 (10th Cir. 1946) and Stankus v. New York Life Insurance Co., 44 N.E.2d 687 (Mass. 1942) (exclusion applied) with Gladys Ching Pang v. Sun Life Assurance Co. of Canada, 37 Haw. 288 (1945) and Rosenau v. Idaho Mutual Benefit Association, 145 P.2d 277 (Idaho 1944) (exclusion did not apply).

But those cases involved stark undisputed facts. Grossly simplified, courts interpret “war” to require state action. But determining whether a particular cyber attack results from state action is difficult. These difficulties are compounded by hackers’ ability to disguise the actual attack origination point by hijacking innocent third-party machines. Attribution necessarily requires inferences and surmises. Hard evidence is rare. So for instance, while the media widely attributed the Sony hack to North Korea, evidence for the connection was tenuous at best.

The evidentiary issues are exacerbated given that the motivation of the attackers is not always clear. Take a hypothetical attack, apparently originating from China. Is it the work of individual hackers or an intelligence unit? Is the intention to injure the United States as a nation or to gain a commercial advantage for a company? Were they acting under state orders or freelancing to make extra money?

Even if these questions could be answered, could a court do so? A litigant could subpoena members of the Intelligence Community and seek discovery of government assessments. It is unlikely to get far. Sources and methods are closely guarded. The government will be loath to share them in a court proceeding. These practical issues explain why bright line rules in this area are hard to come by.

This confusion causes problems for insureds. The availability of coverage is contingent on whether the losses resulted from an “act of war.” For example, Mondelez’s insurer struggled to handle the NotPetya claim. It ultimately determined the claim was excluded as an act of war. Yet it did not reach that determination without difficulty. Mondelez ultimately sued the insurer for breach of contract. The Complaint alleges that the insurer at first denied coverage. It then reversed itself, and then reversed itself yet again.

The Mondelez case will be closely watched as a signal of how courts will view “act of war” cyber coverage denials. Insurers have the burden to demonstrate than an exclusion applies. The war exclusion presents a particularly formidable evidentiary hurdle in the cyber context. Even so, the policyholder has the ultimate burden of establishing coverage. For that reason, policyholders and their brokers must be intimately familiar with applicable policy terms, conditions, and exclusions.

Policyholders should also consult with counsel. Not all exclusions are equal. Some can be offset with “riders.” Some riders may be worth the additional outlay. Others will not. All present traps for the unwary. After all, Mondelez may be the first corporation to sue for coverage over the war exclusion issue. It will not be the last.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Poyner Spruill names new partner, welcomes three new attorneys to strengthen North Carolina practice

1/16/2019

RALEIGH, N.C. — Poyner Spruill LLP, a commercial law firm with offices across North Carolina, is pleased to announce the firm has named Emily Meeker a partner of the firm while also welcoming three new attorneys, one of whom is returning after serving in an in-house counsel role with a healthcare company.

Our Voices - Cultivating Leadership: An Intimate Discussion with Leaders in our Communities

1/14/2019

The Poyner Spruill Diversity Committee is celebrating Black History Month by hosting an intimate panel discussion with key leaders who have been successful in the legal field. The hour-long discussion will focus on how young minorities can navigate the legal industry and position themselves as leaders in their respective communities. Diversity is critical for an organization to be able to adapt in a fast-changing environment. The panel will shed light on the challenges of attaining meaningful diversity and create discussion and generate ideas on how to continue advancing diversity within the legal industry.

Eight attorneys earn distinction in Business North Carolina's 2019 Legal Elite

1/2/2019

RALEIGH, N.C. — Poyner Spruill LLP is proud to announce that eight attorneys received a total of nine recognitions as members of Business North Carolina’s 2019 class of Legal Elite. This included Keith Johnson becoming a member of the Business North Carolina’s Legal Elite Hall of Fame for Environmental attorneys.

p.s. Lunch & Learn: How Certain Tax Changes Could Impact Your Personal Life

12/20/2018

The Tax Cuts and JOBS Act will affect divorce, estate planning, and much more. Join us to learn what you can do to mitigate the impact.

Poyner Spruill named a firm of the year winner in Lawyer Monthly Legal Awards 2018

12/13/2018

RALEIGH, N.C. — Poyner Spruill is pleased to have earned recognition in the Lawyer Monthly Legal Awards 2018 as the Administrative and Environmental Law Firm of the Year for the United States.