Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.The NotPetya malware attack, which both the US and British governments have blamed on Russian operatives, disabled infrastructure in Ukraine and compromised computer systems worldwide. The exploit was disseminated via a hijacked software update for a Ukrainian tax software tool and phishing emails. NotPetya mimicked Petya ransomware, but instead of infected systems being held hostage for ransom, the software scrambled data, making it effectively useless.
Mondelez submitted a claim under its Zurich property insurance policy that provided coverage for “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code.” According to Mondelez’s complaint, Zurich adjusted the claim and even went as far as committing to an unconditional advance of $10 million as a partial payment toward Mondelez’s losses. But, after changing coverage counsel, Zurich suddenly changed course and invoked the policy’s “war exclusion” to deny coverage. Mondelez brought suit against Zurich, alleging breach of contract, promissory estoppel and vexatious and unreasonable conduct under Illinois Insurance Code Section 155. Mondelez is seeking $100 million in damages.
Historically, courts considering the applicability of “war exclusions” have had a great deal of information at their disposal concerning the nature of an attack, the identity of its perpetrator and the source of the funding or planning. The actors were known, the nature of the attack was clear and the greater context in which the attack occurred, along with its motivation, was apparent. In today’s world, however, where state-sponsored actors are ubiquitous in cyberattacks and malware incidents, insurance policies that exclude hostile or warlike actions or terrorism may not effectively protect the insured’s interests. Although the burden remains on an insurer to prove that such an exclusion is a bar to coverage, the dispute between Mondelez and Zurich highlights the need for policyholders to carefully consider whether their existing coverage will protect against cyber losses and, going forward, insist on narrowly tailored exclusionary language in their policies.