It depends on what you think the word “war” means. Webster’s dictionary says war is an armed conflict between countries, but it goes on to say war can also mean any active hostility, contention or struggle.
Even CCTV owners are accountable - in Austria a retailer with a closed circuit camera in front of the store was fined for violating the privacy of passersby in what was determined to be “public space.”
Why am I telling you this? Because insurance carriers are increasingly using the second definition to disallow claims of their insureds who have been the victim of cyberattacks.
In a closely watched case inching its way through the courts in Illinois, Zurich Insurance is refusing to reimburse Mondelez International (Ritz crackers, Oreos, Cadbury chocolate) for the $100 million loss of property it sustained in the Not Petya cyberstrike in 2017. Citing a common, but rarely used clause in insurance contracts – the “war exclusion” – Zurich has concluded Mondelez was simply collateral damage in a cyberwar.
Not Petya was a watershed moment. Since the Zurich action, claims have been denied against pharmaceutical giant Merck who alleges losses in excess of $700 million for the same attack. In New Jersey Merck sued more than 20 insurers, it will likely take years for these cases to be settled.
But these actions have set a precedent and s burden for the legal system to contend with an almost unanswerable question – Is a cyberattack war? In the case of Not Petya (oddly named because some researchers initially confused it with a piece of ransomware called Petya) the Russian government was ultimately determined to be the source of the attack.
By naming and blaming, the United States government gave cover to insurers by providing a rationale to deny claims. Malware moves fast and unpredictably, leaving an expensive trail of unanticipated consequences. Merck and Mondelez will argue they were not the intended targets of the attack and simply got caught up in the broad sweep of the spreading computer virus.
In the case of Not Petya, the attack was originally a Russian effort to take down a Ukrainian software maker. In just 24 hours, Not Petya wiped out ten percent of all computers in Ukraine. The attack made its way to the software maker’s global customers, such as Mondelez and Merck as well as global shipper Maersk and FedEx’s European subsidiary. And in a moment of sweet irony, Not Petya even attacked Rosneft, the Russian state-owned oil giant.
Cyber policies are often written narrowly, focusing on the loss of customer data, not property. Mondelez has argued in court that in 2016 its policy was updated to specifically protect against “the malicious introduction of a machine code or instruction.” Historically, courts have ruled against insurer’s efforts to invoke the war exclusion. The question now is whether the U.S. government’s attribution of Not Petya to Russia meets the bar for the war exclusion.
The bottom line on all this is that cyberwar is still largely undefined. Attribution can be difficult when state actors work undercover, or with unofficial links to the state and the blamed government denies involvement. Essentially, when does cyberterrorism morph into cyberwar?
The only thing clear in this muddied mess is that collateral damage from attacks that get out of control are going to become more and more common. Until insurers and insured can development guidelines and legal precedent that address this growing and very gray area of risk, the question of whether you can truly protect again cyberattacks will remain unknown.
For further reading on this topic: