Cyberattacks are a nightmare for chief executives. To make matters worse, their insurers may refuse to pay up for damage the hackers do to their business.
A dispute between food and beverage giant Mondelez and Zurich Insurance (ZURVY) shows just how much is at stake. Mondelez has filed a lawsuit in Illinois that accuses the insurance company of refusing to cover losses it suffered as a result of the NotPetya cyberattack.
The attack swept across the world in June 2017, infecting networked computers at companies including advertising group WPP (WPPGF), drugmaker Merck (MKGAF) and global shipping company FedEx (FDX).
Mondelez (MDLZ) said in October 2018 that the attack cost it at least $114 million. But according to the lawsuit, Zurich Insurance has cited a “war exclusion” and refused to cover the losses.
The ‘war exclusion’
The United States and the United Kingdom have blamed the NotPetya attack on Russia, suggesting that it was part of an effort to destabilize Ukraine.
In its lawsuit, Mondelez claims that Zurich Insurance subsequently refused to compensate it for losses suffered in the attack, citing a contract exemption for a “hostile or war like act” by any “government or sovereign power.”
Zurich Insurance declined to comment on the dispute, saying it does not give details about individual policies. Mondelez also declined to comment.
The case could prove to be an important test for both companies and insurers, and help to establish when policyholders should be compensated for a cyberattack.
Executives in Europe, East Asia and North America say cyberattacks are the number one risk facing their companies, according to a survey published in November by the World Economic Forum.
Yet many companies do not have insurance that specifically covers cybercrimes, relying instead on general “all-risk” policies.
“Many of these all-risk policies may not even mention cyber, they were not designed to cover cyber,” said Christine Marciano, CEO of insurance broker Cyber Data Risk Managers.
“They were written at a time when nobody could have predicted that these attacks would happen,” she said.
Marciano said the insurance industry is closely watching legal actions such as the one filed by Mondelez to see whether more general policies should cover cyberattacks.
The nature of cyberattacks present real risks for insurers, as well as their clients.
Domenico del Re, an insurance expert and director at PwC, said insurers are most worried about systemic cyberattacks on the scale of NotPetya because they can simultaneously affect multiple clients across the world.
“This is what is different about cyber,” he said. Other risks, like theft or kidnapping, are unlikely to affect multiple clients at the same time, he added.
The damage can also be extensive.
“There is a myriad of ways in which a cyberattack can cause financial loss — actual physical loss to the IT equipment, claims from third parties whose data was lost, fines, fraudulent transactions,” del Re said.
That means that an insurance company could be on the hook for physical and financial losses, as well as damage to users and clients caused by data theft.
Data issues have become even more pressing after the General Data Protection Regulation (GDPR) came into effect last year in Europe. The law can mean huge fines for companies.
This could happen to you
“Companies that used to have the mindset of ‘this can’t happen to me’ …. are now starting to realize this is something they can’t be without,” said Marciano.
Limited data on the damage caused by major cyberattacks makes it difficult for insurance companies to model and price policies.
Mondelez said its $114 million in losses were caused by property damage and disruptions to its business. It said in October that NotPetya had destroyed 1,700 of its servers and 24,000 of its laptops.
Equifax (EFX), which was also hit by a huge hack in 2017, said its damages exceeded $350 million. Insurance has so far covered $95 million, it said in its most recent quarterly financial report.