Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?

Analysis The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself. In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz.

The ransomware sought out vulnerabilities and used a modified version of the NSA's leaked EternalBlue SMB exploit, generating one of the most financially costly cyber-attacks to date.

Among the victims was US food giant Mondelez – the parent firm of Oreo cookies and Cadburys chocolate – which is now suing insurance company Zurich American for denying a £76m claim (PDF) filed in October 2018, a year after the NotPetya attack. According to the firm, the malware rendered 1,700 of its servers and 24,000 of its laptops permanently dysfunctional.

In January, Zurich rejected the claim, simply referring to a single policy exclusion which does not cover "hostile or warlike action in time of peace or war" by "government or sovereign power; the military, naval, or air force; or agent or authority".

Mondelez, meanwhile, suffered significant loss as the attack infiltrated the company – affecting laptops, the company network and logistics software. Zurich American claims the damage, as the result of an "an act of war", is therefore not covered by Mondelez's policy, which states coverage applies to "all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

While war exclusions are common in insurance policies, the court papers themselves refer to the grounds as "unprecedented" in relation to "cyber incidents".

Previous claims have only been based on conventional armed conflicts.

Zurich's use of this sort of exclusion in a cybersecurity policy could be a game-changer, with the obvious question being: was NotPetya an act of war, or just another incidence of ransomware?

The UK, US and Ukrainian governments, for their part, blamed the attack on Russian, state-sponsored hackers, claiming it was the latest act in an ongoing feud between Russia and Ukraine.

Either way, it is evident that the result of the case will have enormous ramifications for cyber insurance policies and a significant impact on the monetisation of cybercrime. If Zurich's approach is successful, it could also lead to a loss of confidence in cyber insurance as an investment – ironically devaluing Zurich's product.

Are war exclusion clauses fit for purpose under International Humanitarian Law as cyber-attacks?

The juxtaposed nature of cyber-attacks and war, which has connotations of devastation and loss of life, leads to questions about whether the NotPetya attack would meet the standards under International Humanitarian Law (IHL). In order for IHL to be applicable, there needs to be an "armed conflict" – however, the term itself is not defined within the treaties.

Notably, there are two types of conflict governed by the IHL: International Armed Conflict (IAC) and Non-International Armed Conflict (NIAC).

Due to the ongoing conflict between Russia and Ukraine, we'll look at whether or not the NotPetya attack could be considered an International Armed Conflict; if it was, it could possibly fulfil that exclusionary clause. There are three points we need to look at.

1: Was the attack 'international' in nature?

Since the US and the UK accused Russia, this allowed the often problematic notion of attribution to arise, and possibly led Zurich to justify the war exclusion clause.

There are competing views regarding the attribution, with both the GRU – the Russian Military Intelligence Agency – and Russian-sponsored hackers accused. Legally, an IAC exists when hostilities between two states occur, so if it were the Russian military agency (being an organ of the state), the international element would suffice.

However, if it were non-state actors (NSA), in order for the conflict to be classed as international, the state would have to have "overall control" of the NSA. For those interested in the case law, this principle is outlined by the International Criminal Tribunal for the former Yugoslavia (ICTY) in The Prosecutor v Dusko Tadic*.

If there was sufficient control of these groups, where a state has issued directions on specific cyber acts to cause significant damage, the international aspect could be fulfilled. However, it is clear from jurisprudence that mere support alone in the form of financing, training and equipping falls below this threshold. Therefore, the difficult burden of attribution will lie with the defence of Zurich.

2: Was the 'armed conflict' requirement sufficed?

Due to an absence of treaty definition, there have been competing views on what level of "armed" is required. It has been argued that the traditional approach cannot govern cyber-attacks as these are not kinetic acts. However, the growing consensus is that IHL is applicable.

The minds behind the Tallinn Manual – the international cyberwar rules of engagement – were divided as to whether damage caused met the armed criterion. However, they noted there was a possibility that it could in rare circumstances.

Professor Michael Schmitt, director of the Tallinn Manual project, indicated (PDF) that it is reasonable to extend armed attacks to cyber-attacks. The International Committee of the Red Cross (ICRC) went further to enunciate that cyber operations that only disable certain objects are still qualified as an attack, despite no physical damage. There will be no doubt Zurich will have to consider the wider implications and rising tensions between Russia and Ukraine for the attack to be considered an armed conflict, which, based on a lack of previous cyber operations, would be unlikely.

3: Was the threshold of 'armed attack' met?

The attack is defined as an act of violence against the adversary in article 49(1) of the additional protocols to the Geneva Convention. Although controversy surrounds the cyber application due to the requirement of physical damage, which is usually associated with violence involving physical force, and it is unclear where the line would be drawn, the consensus is that attacks resulting in non-violent operations such as psychological cyber or espionage would not qualify as an attack.

There have been different approaches taken to assess what physical force is required about a cyber equivalent. Tallinn Manual's Schmitt insists (PDF) that the attack must result in injury or physical damage to objects. Whereas Dr Knut Dörmann, head of the legal division at the ICRC, extended the concept, saying that though it might not necessarily result in injury or damage, it could be partial destruction (see here).

A competing view reflects a greater extent of duration and intensity, meaning that a single cyber incident that causes limited damage, destruction, injury or even death would not suffice nor be classified as IAC. Due to the uncertainty, the current proceedings would have to tread carefully in how they define the level of damage as widening the threshold could warrant an avalanche of insurance claims and also reduce the threshold for conflicts.

The future outcome... or just the beginning?

The unfolding nature of the case will be highly anticipated. However, it will likely remain that the NotPetya cyber-attack could not reach the high thresholds currently set out by the IHL framework as an IAC.

The proceedings highlight the inadequacies of the current international regulation. The case will hopefully guide the limits of insurance coverage. However, the case may leave questions unanswered and create new ones, such as: is IHL the best way to go forward about cyber damage? How should cyber conflict be defined?

And lastly: if it is decided that this kind of damage from cyber-conflicts is uninsurable, how will this impact the companies that are hacked? ®

* Dusko Tadic was charged by the ICTY with a list of crimes allegedly committed in the Prijedor region of Bosnia-Herzegovina between 25 May 1992 and early August of the same year [PDF]. The Appeals Chamber found that "the armed forces of the Republika Srpska were to be regarded as acting under the overall control of and on behalf of the [Federal Republic of Yugoslavia]". (Our emphasis.)