Mondelez v Zurich – lessons from the $100mn cyber trial
Hermès Marangos examines some of the implications from Mondelez International's recent lawsuit against Zurich over NotPetya ransomware losses.
Mondelez International's lawsuit against Zurich in the Illinois courts in which it claimed insurance coverage for significant losses caused by the NotPetya ransomware attack in 2017 settled mid-trial. Much has been written about the case and the industry clauses reviewed during the trial. Many of those comments represent neither industry practice nor the law.
The dispute in Mondelez concerned established international market clauses. Historically, courts on both sides of the Atlantic have sought to take a broadly consistent approach to interpreting clauses of this type, reflecting the need for both insureds and insurers to have relative certainty on what their policies will cover, whichever the governing law, as well as the need for key standard terms to be given a consistent meaning. This interpretative approach gives specific technical meaning to such international industry terms, by looking at industry practice through the historic development of the clauses in question.
The key lessons from the case for the industry are, first, that interpretation of technical insurance provisions requires the input of industry professionals and lawyers with market expertise and, second, that, as new risks develop, policy wordings need to evolve with the market around them – the courts (on each side of the Atlantic) will not generally bend the meaning of insurance terms of art to squeeze a new risk within a policy wording not designed to address it.
“The key lessons from the case for the industry are, first, that interpretation of technical insurance provisions requires the input of industry professionals and lawyers with market expertise and, second, that, as new risks develop, policy wordings need to evolve with the market around them”
The Mondelez property policy provided all risks cover for physical loss or damage. This specifically included physical loss of damage to electronic data, programs, or software caused by the malicious introduction of a machine code or instruction.
Zurich, however, relied on a standard war risks exclusion from the policy which carved out losses caused by "hostile or warlike action in time of peace or war".
In essence, the Illinois court had to consider whether a cyber attack (i.e. the introduction of an electronic virus to corrupt data) could be classified as war damage under the standard exclusion. Somewhat surprisingly to those in the industry, a number of arguments were advanced at trial based on the Webster's dictionary definitions of the key terms, rather than the specific industry meanings attributed to those terms as seen in the historic development of the clause in question.
Specifically, with regard to the different political violence terms within a standard set of exclusions (e.g. "war risks" and "terrorism risks"), the way such clauses have developed demonstrates the key differences between each term, but also the elements that have to be shown for the purpose of triggering the clauses. There are no really grey areas in this. For example, where a particular type of violent attack perpetrated by a prescribed organisation would be classified as a "terrorist attack", the same violent attack perpetrated by a group with attributes of a state would be classified as "war damage" (cf. Hamas terrorist attacks with those by Hezbollah.) All these examples have historically reflected and tracked market practice, with case law confirming the position.
Similarly, not every action by a terrorist would fall within the insurance definition of "terrorist attack". Rather, the specific action in question must fall within the technical meaning. Members of a "terrorist" organisation may participate in potentially violent incidents like bank robberies that would not be classified as a "terrorist attack" for insurance purposes. There is a difference between a terrorist act versus the act of a terrorist.
In Mondelez, a key battleground was the meaning to be given to “hostile”. The historic development of the standard clause and, in particular, the interplay between “hostile” and “hostilities”, is key to understanding its meaning. The term “hostilities” (“hostilités”) which, like other political violence terms such as "terrorism" (“terrorisme”), come from the French, is a reference to armed forces engaged in battle, as in essentially physical attacks like overt acts of warfare. That then feeds into the historic development of the standard clause to refer to “hostile acts by belligerents”. At no time did anything change in the clause during its periodical development to suggest that “hostile” can have a broader non-technical meaning for contracting parties in the insurance industry.
Similarly, the reference in the standard clause to "in time of peace or war” was a development designed to avoid suggestions that, in the absence of a formal declaration of war (for example the attack on Pearl Harbor or the Korean war), otherwise "warlike" acts should not fall within the exclusion. This logic also applies to other political violence terms to allow proper distinctions to be drawn for example between a riot and an insurrection. As the judiciary has accepted on both sides of the Atlantic, whatever the common elements there may be in different acts of political violence, one would not want to describe the World Trade Center or Pearl Harbor as "malicious mischief" or "vandalism". Or a hijacking as a riot on a plane, that is a "flying riot".
“The industry post NotPetya introduced new wordings across various lines precisely because the existing wordings could not cater for the new risk”
Another matter of concern in the Mondelez case, as previously seen in key Covid disputes, was an attempt to ignore well-understood market definitions and practice on the basis that losses that end up being catastrophic should be treated differently in the contracts. Effectively, it was suggested that the war exclusion should be extended, given the size of the loss. That was despite the fact that, by the time of the Mondelez trial, the industry had already deployed new exclusion clauses to cater for the specific issue in hand, differentiating between war damage and acts by states involving major cyber attacks (following the legal position and industry practice on the meaning of war damage). The industry post NotPetya introduced new wordings across various lines precisely because the existing wordings could not cater for the new risk.
After all, historically, the market has always adapted to take account of catastrophic events as they occur and decide on what risks could be insured and by whom and on what precise and sustainable basis. That has been the case from the origins of the market as a marine insurance one (and the separation of the war and marine markets), to the Waterborne Agreement and the prohibition of war on land following the mass bombings experienced in the Spanish Civil War, to developments of wordings on terrorism following the attack on the King David Hotel by Irgun in 1946, and more recently the Mary Axe bombings by the IRA in 1992 and the Al Qaeda attacks on the USA in 2001.
The point here is that historically, quite remarkably, some of the wordings and solutions that guide us were in fact produced as the events were happening around us. One particularly notable example was the Free from Capture & Seizure version of the war exclusion clause in marine insurance covers, which was drafted at the height of World War II in 1943.
It is, of course, also true that various non-war related actions by states can have catastrophic results on other states. Especially powerful states are becoming ever more sophisticated in the ways they may try to undermine other states. Cyber attacks may form part of the standard future “armoury” of states. One day, it may even be possible to “subjugate” states without wars. However, even if a cyber attack can be attributed to a state power, it remains insufficient to bring it within the scope of a war risks exclusion such as the one at issue in Mondelez, even if it can create more chaos in another state than certain actions that would be considered "hostile" or "warlike" in the technical insurance sense. It may be that coverage "should" be excluded for this type of act but, as the legal community very well knows, one must draft legal documents to deal with such risks accordingly.
As the recent market wordings on catastrophic cyber attacks by states show, such distinct losses have to be addressed by new clauses. And the greatest lesson always remains the same. Insurance uses technical meanings, and courts internationally do not depart from them at the expense of one party against another even when the losses are catastrophic. Even systemic risks require different solutions to abandoning the rule of law.