‘Act of War’ Clause Puts Company’s Insurance Payouts at Risk
Nov 11, 2020
Companies banking on cyber-insurance policies to bail them out when faced with a cyberattack, beware. Your cyber insurance policy may not cover damages, for instance, if a nation-state carries out the attack. While this may seem unlikely, many modern cyber-attacks are tied to nation-states, including North Korea, Iran, Russia, and even the US. When these attacks occur, they can be incredibly sophisticated, cause vast amounts of damage, and void your insurance claims.
This is exactly what occurred in 2017 when one of the most devastating cyberattacks in history occurred. The NotPeyta wiper attack devastated companies by the likes of food and beverage conglomerate Mondelez and pharmaceutical giant Merck. After asking for payouts from their insurance companies, they were hit with an “Act of War” clause hidden in their policies, abstaining insurance companies from financial responsibility. This prompted Mondelez and Merck to file a $100 million and a $1.3 billion lawsuit against their insurance companies, respectively. Following an investigation that concluded last week, the US indicted six Russian military members responsible for the NotPetya attack, severely hurting the aforementioned companies’ cases for compensation.
The “Act of War” Clause
This “Act of War” clause mentioned above, as included in Mondelez’s policy specifically, is stated as the following:
- “This policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
- (a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:
- Government or sovereign power (de jure or de facto);
- Military, naval, or air force; or
- Agent or authority of any party specified in I or ii above.”
Insurers include clauses such as the one listed above to protect themselves from a sharp rise in the occurrence of data breaches. According to financial rating firm AM Best, in 2019, the total number of insurance claims had doubled, year to year. This has directly influenced insurers to add exclusions in their policies, since offering broad coverage under standard premium rates could cause them to become insolvent.
As a result, companies may believe they are covered under a wide range of cyber-related scenarios; however, many are not buying insurance specifically for cyber risks. Within property and business-interruption insurance policies, insurers seek out clauses that seem to provide silent cyber coverage and eliminate them. This has given many companies a false sense of security when it comes to cyber risk.
It should go without saying, but cyber insurance should not be considered a cybersecurity replacement. Even with proper coverage, insurance companies are implementing whatever means possible to limit their liability in the instance of cyberattacks. This trend, coupled with the rising occurrence of cyber threats, makes it so important for companies to manage their risk properly and responsibly. Secuvant can help companies navigate today’s cyber landscape, mitigating and managing cyber risks along the way.
Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more visit www.secuvant.com.