Watchful Eyes On A Disputed Cyber Insurance Claim

A case in the Illinois courts has drawn the attention of many legal and risk managers, and a variety of commentators. A Fortune 500 company that fell victim to the so-called NotPetra ransom attack of 2017 – suffering by its own account more than $100 million in damages – put in a claim under a property insurance policy. Coverage per the policy language extended to, among other things, “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction” as well as loss incurred during an interruption “directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate….” The claim, however, was denied on the basis of a “hostile or warlike action” exclusion. (Since then the case has taken another turn, with the carrier rescinding that denial but claiming it on other grounds.) The case is  Mondelez International, Inc. v. Zurich American Insurance Co. This post from Lawfare looks at some of its implications, and it links to another Lawfare post that maintains the Mondelez case, whatever its outcome, points to the need for increased government-carrier cooperation in the area of cybersecurity, including a reinsurance program along the lines of what obtains for terrorism insurance.