This case will shape the future of cyber risk insurance so worth following, even if it takes years to play out…:
[…] Mondelez’s case against Zurich is proceeding in an Illinois court. Merck has filed a similar suit in New Jersey.The trials are likely to drag on for years because several key issues will have to be answered.
The first might be: What is cyberwar? In 2006, Secretary of Defense Robert Gates, alarmed by the incessant briefings he was receiving on cyberattacks against the U.S. military and defense companies, asked the Pentagon’s general counsel at what point these attacks could be considered “acts of war” under international law. It took two years for the counsel’s office to respond and, even then, only evasively: Yes, the reply read, such attacks might be acts of war—but the precise circumstances were left vague.
Second, to what extent can an intelligence agency’s judgment—the basis of which is probably classified—be cited to establish liability in a civil court case?
Third, Mondelez’s lawyers are arguing that the war exclusion cannot be applied because the company and its transactions took place far from the Russia-Ukraine battlefield. But what are the battlefield’s boundaries in cyberspace? Is there even such a thing as a battlefield?
Finally, as more (and more damaging) cyberattacks appear to be directed by national governments or their proxies, what is the point of having cyberinsurance if such attacks are excluded from coverage? This is the question that many clients will ask themselves if the insurers win these two cases. In other words, a tactical victory for the insurers could spawn a strategic defeat.