Insuring the Uninsurable: Cyber Insurers' Dilemma in Hacker Payouts
Download MP3This is a big-time case that has a lot of implications for the cyber liability insurance market, whether you're an insurer, an agent, a broker, or even a company with cyber insurance. This case comes out of a dispute over whether coverage applies to a certain malware cyber security issue.
What happened is Mondelez, which is a major company, had a malware attack, which caused $10 billion in damages globally and on other computer networks besides its own. The insurance provider claimed that an act of war exemption mitigated the claim, meaning that there's an exclusion in cyber insurance policies for an act of war. They don't cover cyberattacks that have to do with an act of war.
So, the insurance company said, "Look, this particular attack came from Russian military hackers, and it was against Ukraine, and then it spread around the world and got into Mondelez computers." Well, it was denied. The claim was denied. Well, the company took the case to court, and they claimed that it was not an exclusion under their policy but collateral damage in a much larger cyber conflict that had nothing to do with them. And they settled, so they basically won.
Last week's ruling makes the insurance companies have to rethink what an act of war means. Current definitions come from the 19th century, when we had pirates, navies, and privateers. So, you're going to find that in any kind of coverage, not just cyber coverage, there are often exclusions on a policy for acts of war, and it's a broad coverall-type exclusion.
Well, an insurance company can claim that a particular hack, ransomware, or some other type of cyber attack has to do with a war action, and it could be broadly construed based on, you know, the fact that if the hackers were part of a military, that could be an act of war.
Even though this ruling may not be binding as a precedent, it's certainly an indication of how judges and juries might view the insurance companies' perception of what is an act of war. Look, it may not result in insurance companies stopping trying to make this exclusion in other cases, but at least they will shift the strategy to writing exclusions and maybe changing it to war-like acts instead of acts of war.
The main thing to keep in mind is that there is a lot of overlap between military action, wars, conflicts, and cyber attacks, and if your policy has that exclusion, you want to make sure that your coverage matches what you're expecting from your insurance company. Either way, this ruling starts to define some of the boundaries of what is an act of war on cyber insurance and what is still covered under the policy language.
