May 2, 2019
Should Zurich fail to prove any of the points in this article, NotPetya could be, in the court’s eyes, an act of criminality, or even of terrorism. The possibility of this outcome raises the question: how have insurers treated alleged state-sponsored cyberattacks that could arguably fall under the umbrella of cyberterrorism and thus, be included in the Terrorism Risk Insurance Program (TRIP)?
Acts of cyberterrorism are covered under the Terrorism Risk Insurance Program (TRIP) should the economic losses trigger the threshold required for federal assistance. In a guidance issued by the Treasury Department at the end of December 2016, the Treasury made clear that cyber coverage “written in TRIP-eligible lines of insurance” is covered by TRIP.
Generally speaking, insurers seem inclined to modify the war exclusion in cyber policies to omit cyberterrorism. There have been a number of state-sponsored cyberattacks recently—including WannaCry, often attributed to the North Korean government—and there has been no high-profile denial of coverage by insurers under the war exclusion like this most recent one from Zurich. Likely, insurers will see that pursuing coverage denials too aggressively would result in lost customers. Thus, insurers have been willing to cover damages from fallout like the one seen in NotPetya, WannaCry, etc. without much pushback.
Acts of cyberterrorism are covered under the Terrorism Risk Insurance Program (TRIP) should the economic losses trigger the threshold required for federal assistance. In a guidance issued by the Treasury Department at the end of December 2016, the Treasury made clear that cyber coverage “written in TRIP-eligible lines of insurance” is covered by TRIP. Additionally, cyber liability policies defined as “stand-alone comprehensive coverage for liability arising out of claims related to unauthorized access to or use of personally identifiable or sensitive information due to events including but not limited to viruses, malicious attacks or system errors or omissions” that may “also include expense coverage for business interruption, breach management and/or mitigation services” are definitively included in the definition of “property and casualty” insurance covered by TRIP. It is expected that should TRIP be authorized in December 2020, much will stay the same.
Though the court battle between Mondelēz and Zurich is being fought in the context of a property policy, it carries major implications for cyber insurance in the future, as many cyber insurance policies do have war risks exclusions. A broad ruling in favor of Zurich could make it that much more difficult to mitigate cyber risk with insurance policies, considering the recent increase in state-sponsored cybercrime. Whatever the outcome may be, the case illustrates that brokers and risk managers, as well as their clients, must be vigilant, seek clarity and assurances to minimize the possible risk of coverage denial in the event a state actor is involved in a triggering event, and become intimately familiar with cyber policy terms, conditions and exclusions.
However, in regards to TRIP, where an event has never triggered the thresholds required for federal assistance, there is much more ambiguity, especially when it comes to covering a cyber-event defined as terrorism.