Insurers cite 'War Exclusion' clause to avoid paying damages
When Mondelez International became a victim of the NotPetya ransomware attack in June 2017, their losses totalled more than US$100 million. The food and beverage conglomerate turned to their insurer, Zurich, and were shocked by what they heard.
Zurich weren't going to pay, citing the 'war exclusion' clause in their policy as reason for non-payment. The clause is commonplace throughout the insurance industry and Zurich's standard clause, which often appears under the heading "War, Act of terrorism, Confiscation, Radioactivity", reads:
“War, invasion, acts of foreign enemies, hostilities or warlike operations (whether war be declared or not), civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power”
The grey area lies in the question, what constitutes 'war'? Like many aspects of life in the digital age, war as we know it has changed. Think 'cyber warfare', for one. With this (no doubt) in mind, and aided by the fact that not only the USA, but countries such as the UK, Canada and Australia lay blame for NonPetya on Russia, a perceived 'foreign enemy' in this case, Zurich saw this as a way out.
However, Zurich aren't alone in disputing their definition of the 'war exclusion'. Pharmaceutical giant Merck, with nearly $700 million worth of losses attributed to NonPetya, has sued more than 20 insurers - several of which used the war exclusion 'out' - that rejected claims in relation to the attack.
Not surprisingly, all this has ended up in the courts, where the two cases could take years to resolve. In the meantime, expect 'war exclusions' to be reworded.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.