Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez and Zurich, organizations should read their cyber insurance policies carefully to see what is still covered.

5 Min Read
Steinenberg, Basel, Switzerland - February 19th, 2018. Front view of a carnival group with the topic of cyber warfare
Source: Entertainment and celebrities via Alamy Stock Photo

The consequences from NotPetya, which the US government said was caused by a Russian cyberattack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyberattack appears to be turning the cyber insurance market on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.

Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.

Back in 2017, cyber insurance policies were still nascent, so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.

What's Changed?

The significance of these settlements illustrate an ongoing maturation of the cyber insurance market, says Alla Valente, senior analyst at Forrester Research.

Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cybersecurity profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.

Once a large number of ransomware attacks occurred that built off of the lax cybersecurity many organizations demonstrated, insurance carriers began changing their requirements and tightening the requirements for obtaining such policies, Valente says.

The business model for cyber insurance is dramatically different from other policies, making the cyber insurance policies of 2017 obsolete. Cyber insurance is in a state of flux, with turnover in the carrier market, lower limits on covered offered, and more aggressive terms, including exclusions, over what was in place prior to 2020.

Defining an Act of War

Acts of war are a common insurance exclusion. Traditionally, exclusions required a "hot war," such as what we see in Ukraine today. However, courts are starting to recognize cyberattacks as potential acts of war without a declaration of war or the use of land troops or aircraft. The state-sponsored attack itself constitutes a war footing, the carriers maintain.

In April 2023, new verbiage will go into effect for cyber policies from Lloyd's of London that will exclude liability losses arising from state-backed cyberattacks. In a Market Bulletin released in August 2022, Lloyd's underwriting director Tony Chaudhry wrote, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage."

Lloyd's went on to publish additional supplemental requirements and guidance that modified its rules from 2016, just prior to the NotPetya attack.

Effectively, Forrester's Valente notes, larger enterprises might have to set aside large stores of cash in case they are hit with a state-sponsored attack. Should insurance carriers be successful in asserting in court that a state-sponsored attack is, by definition, an act of war, no company will have coverage unless they negotiate that into the contract specifically to eliminate the exclusion.

When buying cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms," says Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg. "Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms."

For small and midsize businesses (SMBs) that get hit by a state-sponsored attack, it could be "lights out," Valente says. Plus, she emphasizes, SMBs often are targeted if they are primary or secondary suppliers to a large enterprise with information the attacker wants. That means a state-sponsored attack on a small company without the right insurance coverage could be out of business simply because the attacker was a nation-state rather than a cybercriminal.

Understand What Is Covered

While the European and North American cyber insurance markets are similar, they are by no means identical.

"Not every [American] policy will have language recommended by the London insurance market, and those rules do not apply to American insurance carriers," Godes says. "As a best practice, policyholders should consider whether London market insurance carriers are offering the most robust coverage after the recommended changes go into effect."

Godes, whose firm represents the insured rather than the carriers or brokers, notes, "This case is an example to policyholders that when claims get really expensive, carriers will do everything they can to fight coverage. The insured always should remember that the insurance carrier must prove that an exclusion applies. And sometimes," he quips, "the insured will need to litigate with its carrier to get the coverage it thought it was buying."

The upshot from the Merck and Mondelez cases, as well as Lloyd's recent announcement: State-sponsored attacks now fall into the act-of-war exclusion.

"Many carriers are in the process of rewriting their act of war exclusions to address the realities of state-sponsored or assisted cyberattacks and also because courts, as indicated in a few recent decisions and perhaps implied by the Mondelez settlement, are looking skeptically at the application of clauses written for traditional guns and bullets warfare to cyberattacks," says Kenneth Rashbaum, a partner at New York law firm Barton. "I think this is the most significant takeaway from Mondelez and those recent court decisions. Carriers who update their clauses will be more aggressive in denials of coverage for attacks that may be considered state-sponsored, while those that do not update the clauses may be less inclined to rely on them."

About the Author

Stephen Lawton, Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights