The two risks that most insurers are least interested in underwriting are nuclear accidents and war.  While nuclear accidents have been blessedly infrequent (sorry, Karen Silkwood), the scope and import of war exclusions have a long and curious history, ranging from marine losses to raiders during the American Civil War to airline hijackings by the PLO during the 1970s.  Over the years, war exclusions have featured in coverage disputes arising out of the sinking of the Lusitania by a German submarine[1] and the Japanese attack on Pearl Harbor in 1941[2] both of which before there had been any formal declaration of war by the United States.   There was also a brief moment following 9/11 when insurers and reinsurers gave serious consideration to asserting war exclusions but decided not to, whether for reasons of patriotism, business relations or pragmatism.

While war risk exclusions are today a ubiquitous feature of both commercial property and liability insurance policies, their scope and meaning has become ever more elusive as the nature of war has changed in the modern era.   Nineteenth and Twentieth Century conceptions of war as military conflict fought between national armies on defined battlefields do not describe the wars that the United States has been engaged in throughout the world since 9/11, struggling with warring militant factions, splinter groups and terrorist proxies for malign nations.  Nor do they account at all for the weaponization of cyber-space by the United States, Russia, China, Iran and other countries in recent years.

In On War, Von Clausewitz famously described war as “politics by other means.”  So should we consider cyber-attacks as war by other means?  Obviously, not all cyber-attacks are “acts of war.”  However, should war exclusions apply where a nation’s security agency or proxy groups initiate a malware attack? 

That is precisely the issue now being litigated in the Mondelez litigation in the U.S. District Court for the North District of Illinois and the Merck case in New Jersey state court.  Both cases concern the availability of commercial property insurance for losses resulting from the NotPetya attacks in 2017.  In both cases, the losses were enormous:  $100 million for Mondelez and a reported $700 million for Merck.

The Zurich policy at issue in Mondelez is not cyber-insurance as such but does cover certain losses due to “malicious cyber damage.”  However, it also contains an exclusion for “hostile or warlike action in time of peace or war, including action in hindering, combating or defending against any actual, impending or expected attack by any: (i) government or sovereign power; (ii) military, naval or air force or (iii) agent or authority of any party specified in i or ii above.”  In both cases, the insurers are contending that their insured’s loss are excluded because of U.S. intelligent reports that NotPetya was initiated by the Russian military.

A recent opinion of the U.S. Court of Appeals for the Eleventh Circuit has called into question the efficacy of war risk exclusions that insurers commonly use in property, insurance and, more recently, cyber-risk policies.  While the wording of such exclusions is far from standard, the analysis set forth by the Eleventh Circuit in the Universal Cable Productions LLC v. Atlantic Specialty Insurance Company, No. 17-56672, 2019 WL 3049034 (9th Cir. July 12, 2019) is sure to be cited by policy holders in efforts to compel cyber-insurers to provide coverage for hacking incidents and that may involve foreign governments or criminal organizations acting in tandem with state security agencies.

The insurance coverage dispute in Universal Cable arose out of plans by a subsidiary of NBC Universal to produce a television show called “Dig” in Jerusalem in 2014.  Production on the show was halted, however, after Hamas began firing rockets into Jerusalem.  As a result, Universal Cable had to move its operations outside of Jerusalem, at a cost of several hundred thousand dollars.  Universal Cable sought reimbursement for these costs under a television production policy issued to it by Atlantic Specialty that provided coverage for first-party losses involving “imminent peril.”  Although the policy expressly included coverage for terrorism losses, it contained a four-part exclusion for war, as follows:

  1. War, including undeclared or civil war; or
  2. Warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign, or other authority using military personnel or other agents; or
  3. Insurrection, rebellion, revolution, usurped power, or action taken by the governmental authority in hindering or defending against any of these. Such loss or damage is excluded regardless of any other cause or event contributed concurrently or in any sequence to the loss; or
  4. Any weapon of war including atomic fission or radioactive force, whether in time of peace or war . . . .

After Atlantic precipitously disclaimed coverage, litigation ensued in the US District Court in Pasadena, California.  Both parties moved for summary judgment presenting affidavits from a star-studded cast of diplomatic luminaries including Ambassador Dennis Ross.  More significantly, Universal Cable presented a lengthy affidavit from Ty Sagalow, the former chief underwriting officer of AIG, attesting to the standard and agreed understanding of “war” within the insurance industry.

The U.S. District Court granted summary judgment to Atlantic Specialty, declaring that the common and ordinary meaning of “war” surely encompassed missile attacks by an adversary.    The court declined to adopt any technical or specialized meaning as argued by Universal Cable.

In reversing the District Court, the Eleventh Circuit ruled on July 12 that

  1. There was no basis for finding ambiguity in this policy on the basis of the doctrine of contra proferentem doctrine since both parties were sophisticated and had been assisted by expert consultants in drafting this policy
  2. The District Court erred in according “war” its ordinary in light of the fact that Section 1644 of the California Insurance Code requires that a technical definition be used where the parties so intended.  In this case, the Ninth Circuit found that “war” was understood by the parties as involving conflicts between actual or de facto governments.  In particular, the Ninth Circuit focused on the Sagalow opinion, which Atlantic Specialty has not contested.

The Ninth Circuit concluded, therefore, that if Atlantic Specialty had wanted to exclude coverage for attacks by terrorist groups, it should have either included a terrorism exclusion in its policy or should have amended the war risk exclusion to encompass terrorist groups.

The Ninth Circuit left the door open for further findings, however, observing that the District Court had only relied on the first two subparts of the war exclusion and had not considered whether coverage might nonetheless be excluded as arising out of an insurrection or rebellion.  The case was therefore remanded for further findings with respect to that question.

There are many reasons to question the precedential effect of this ruling and whether it applies to the applicability of “war” exclusions in the context of other claims, including cyber-attacks. 

To begin with, the Ninth Circuit’s opinion relies on a statutory principle of California contract  On the other hand, the notion that terms should be accorded a technical meaning where both parties so intended is not unique to California and has been applied in states as a matter of common law.

Perhaps more crucially, the opinion evidence of Ty Sagalow concerning the insurance industry’s understanding of the meaning of “war” was given a free pass in this case.  One can only wonder why Atlantic Specialty failed to get an expert of its own on this issue or whether it believed that doing so would undermine its argument that the common and ordinary meaning of “war” should control, as the District Court had concluded.

Nevertheless, despite these obvious distinguishing factors, it is often the case that the first significant appellate ruling in a new area of the law will have an outsized impact on future litigation involving that issue for years.

While the circumstances giving rise to Universal Cable’s claim may seem a bit esoteric, the possibility of cyber-attacks on U.S. businesses from foreign actors whose interests are adverse to those of the United States are increasingly common.  But are these “hostile acts” subject to war exclusions in commercial property or cyber-policies?

The NotPetya cyber-attacks that gave rise to the pending coverage litigation with Merck and Mondelez began in June 2017 and were seemingly designed to coincide with Constitution Day, when Ukraine celebrates its independence.  Although NotPetya was apparently designed to be an attack on Ukraine, its effects were felt around the world.  In the wake of the fact, the United States concluded that NotPetya was an attack by Russian military cyber-specialists and imposed sanctions on Russia in March 2018.

In October 2018, Mondelez International, which owns Nabisco and Cadbury, sued Zurich American Insurance Company in state court in Chicago seeking coverage for over $100 million in first party losses that it claimed to have suffered when the NotPetya attack rendered 1,700 company computer servers and approximately 24,000 laptops “permanently dysfunctional.”  Zurich had denied responsibility for the loss, citing an exclusion for “hostile or warlike action…by any…government or sovereign power…military, naval or air force,” or an agent or authority of the aforementioned entities.

Commercial property policies often contain a Hostile Acts exclusion stating:

This policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this policy, contributing concurrently or in any other sequence to the loss:

hostile or warlike action in time of peace or war… by any:

(i) government or sovereign power (de jure or de facto);

(ii) military, naval, or air force; or

(iii) agent or authority of any party specified in i or ii above.

Cyber policies also often have “Hostile Act” exclusions but its terms may not be the same as appear in commercial property or liability policies.  Not only is there no standard wording used by cyber underwriters but exclusions in the cyber policies typically do not extend to cyber terrorism and state-sponsored cyber attacks. Additionally, many cyber insurers have agreed to limit the scope of these exclusions to “kinetic” war.

The Ninth Circuit’s opinion in Universal Cable will surely be cited by policyholders as refuting any suggestion that cyber-criminals are state actors whose conducts is subject to such exclusions.   At the same time, cyber-insurers may push back with respect to whether the industry understanding of “war” as set forth in Ty Sagalow’s affidavit was shared by them.   Additionally, the resolution of these issues will be complicated by difficulties of proof with respect to ascertaining the source of these cyber-attacks and the links between the criminals in question and state sponsors.

[1] Vanderbilt v. Travelers Ins. Co., 112Misc.248, 184N.Y.S.54

[2] New York Cas. Co. v. Bennion, 158 F.2d 260 (10th Cir. 1946).