Page 30 - Insurance Times August 2023
P. 30
In the other similar case involving Mondolez and Zurich
American Insurance, in 2022 the insurer decided to settle
the ongoing litigation (which lasted close to four years), after
initially denying to pay the claim.
Here it is also important to note, that although the American
government put responsibility for the attack on Russia and
its military, it never used the term cyberwar. In the past also,
American officials did not use the term war to describe cyber-
attacks, fearing such usage may escalate any ongoing conflict.
In 2014 when Sony Pictures Entertainment was the target of
a North Korea-backed cyber-attack, the US govt. condemned
the attack but stopped short of describing it as cyberwar.
Rather the US govt. described it as an act of
"cybervandalism".
hinged on the apparent differentiation between physical war
and cyber warfare.
In the case of the NotPetya attack also, the US govt. never
officially used the term cyberwar. The Press Release from
Here it's pertinent to note that as per federal statute 18 U.S.
the White House described it as the "most destructive and
Code 2331, the legal definition of an act of war is "any act
costly cyber-attack in history".
occurring in the course of-
(A) Declared war;
The impact:
(B) Armed conflict, whether or not war has been declared, The uniqueness of the cases, the landmark verdict, the huge
between two or more nations; or settlements, and their implications had significant impacts
C) Armed conflict between military forces of any origin;" both on the insured and insurers.
So even though many experts considered the NotPetya cyber Predictably the court verdict and settlement were welcomed
attack as an extension of the armed conflict between Ukraine by the community of the insured. It was also perceived as
& Russia, the cyber attack in its own merit doesn't qualify to positive for the cyber insurance market in general. There is a
be a 'war' and the court also confirmed the same. general sentiment that had the court upheld the application
of war exclusion, cyber insurance policies would have been
In the verdict, the Court further observed that the language rendered purposeless as the majority of the cyber attacks
used for the said exclusion wordings are the same for a long can be linked to a sovereign nation-state. But the NotPetya
time and the plain meaning of it warrants cyber attack not to events also hardened the reinsurance market.
be considered under the purview of the term "war". Further,
the court also observed that the event of cyberattack is The cases also brought to the fore the issue of silent cyber
common knowledge and, there has been no action from the exposure. Pre-2018 many underwriters were not sure how
side of the insurer to change the exclusion wordings to cyber-related events would play out in property all-risk
accommodate it. The insurer having failed to change the policies. The Not Petya attack made it evident, if not
wording of the war exclusion to explicitly include a cyber underwritten properly, cyber-related events will trigger
attack or cyberwarfare, has given the insured reasonable claims, even if the policy were not designed to respond to
grounds to assume that cyber attack is not an exclusion. Merck cyber-related events. In 2020 Lloyds also released a market
also said in its defense that their understanding was that the bulletin (Ref: Y5258) requiring all policies to specify the status
war exclusion applied only to traditional forms of warfare. of cyber-related events' coverage through explicit affirmative
cover or by stated exclusion.
The court also relied on testimony from domain experts who
confirmed that the term 'war' refers to the use of armed Possibly the most significant impact of these events was the
forces between rival states. fact that Lloyds was forced to change its wording related to
24 August 2023 The Insurance Times