Wargames: Analyzing the Act of War Exclusion in Cyber Risk Insurance Coverage and Its Implications for Cybersecurity Policy

Abstract

Cyber risk insurance coverage has become an increasingly vital tool permitting both public and private-sector organizations to mitigate an array of cyber risks, including the prevalent issue of ransomware. However, despite the rapid uptake of these policies, a series of have emerged, which have in turn only been exacerbated given the COVID-19 pandemic. Litigation has centered on issues ranging from what constitutes “covered computer systems” as many employees are working from home, to questions of negligence. Among the most vexing issues, though, with arguably wide-ranging implications for not only the cyber risk insurance industry, but on U.S. cybersecurity policy generally, consist of when a cyber attack that has been attributed back to a foreign nation constitutes an act of war thus excluding coverage. As one example, the 2017 NotPetya cyber attack resulted in more than $10 billion in damages globally, including more than $100 million to the multination food conglomerate, Mondelez International. However, when Mondelez filed a claim with its insurance firm, Zurich International, to recover these costs its claim was denied because NotPetya was considered a “hostile or warlike action” by a “government or sovereign power.” Mondelez countersued, alleging breach of contract, and the case remains pending in Illinois state court as of this writing. A similar case involving damage from NotPetya on Merck is likewise pending in New Jersey. Yet, the literature to date has largely ignored this vital issue. This Article makes several original contributions to this debate. First, it couches this issue as part a set of cybersecurity dilemmas facing organizations that are manifest in the ransomware epidemic. Relatedly, it summarizes findings from a statewide cybersecurity survey that was conducted in collaboration with the Indiana Attorney General’s Office. Second, it analyzes current pending litigation related to the act of war exclusion, and the impact of the 2019 Eleventh Circuit’s Universal Cable Productions LLC v. Atlantic Specialty Insurance Company holding, which called into question the efficacy of these exclusions in certain cases. Third, it brings in lessons not only from U.S. cybersecurity policy, but also on the applicable international law on defining acts of cyber war and related challenges of attribution. By way of conclusion, a standard is suggested to help guide courts, policyholders, and insurance companies in navigating these issues going forward.