As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez & Zurich, organisations should read their cyber insurance policies carefully to see what is still covered.
The consequences from NotPetya, which the US Govt. stated was caused by a Russian cyber-attack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an “act of war.” Indeed, the 5-year-old cyber-attack appears to be turning the cyber insurance market on its head.
Regain Control
Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, & Triscuit, was hit hard by NotPetya, with factories & production disrupted. It took days for the company’s staff to regain control of its computer systems.
The company filed a claim with its property & casualty insurer, Zurich American, for $100m in losses. After initially approving a fraction of the claim — $10m — Zurich declined to pay, stating the attack was an act of war & thus excluded from the coverage. Mondelez filed a lawsuit.
Late last month Mondelez & Zurich American reportedly agreed to the original $100m claim, but that wasn’t until after Merck won its $1.4b lawsuit against Ace American Insurance Company in Jan. 2022 for its NotPetya-related losses. Merck’s claims also were against its property & casualty policy, not a cyber insurance policy.
Claims for Damages
In 2017, cyber insurance policies were still in their early days, & so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10b in damage worldwide — against corporate property & casualty policies.
What’s Changed? The significance of these settlements illustrates an ongoing maturation of the cyber insurance market, says Forrester Research.
Lax Cyber Security
Until 2020 & the COVID-19 pandemic, cyber insurance policies were sold in a way similar to traditional home or auto policies, with little thought for a company’s cyber security profile, the tools it had in place to defend its networks & data, or its general ‘cyber-hygiene’.
Once a large number of ransomware attacks occurred that built off of the lax cyber security many organisations demonstrated, insurance carriers began tightening the requirements for obtaining such policies.
