Under a common, but rarely used clause in insurance contracts called the “war exclusion”, hundreds of companies like Mondelez, struck by the so-called NotPetya cyberstrike in 2017, are being denied claims related to digital attacks. At the heart of the issue is qualifying cyberattacks as cyberwar. For example, when Sony Entertainment experienced a cyberattack in 2014 brought on by North Korea, President Barak Obama was hesitant to label it as an act of “cybervandalism.”
In The New York Times article, “Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong,” John Carlin, chair of Morrison & Foerster’s Global Risk and Crisis Management group and co-chair of the National Security practice, is noted with saying that the “description of the Sony attack was deliberate” and that, “The Obama administration had worried, in part, that the use of “cyberwar” would have triggered the liability exclusions and fine print that Mondelez is now challenging in court.”