Digital force majeure: The Mondelez case, insurance, and the (un)certainty of attribution in cyberattacks

Insurance companies typically secure themselves under force majeure exclusions against the unpredictability brought about by acts of war. If a company were to be attacked by a nation-state in physical space-hit with a missile or by aerial bombing-there would be fairly clear carve-outs so their insurance company could exclude such an incident from coverage. But the same is not always true in cyberspace. This article examines an extreme outlier case in the world of cyberattacks and insurance-that is, the losses suffered by the U.S.-based food and beverage company Mondelez as a result of the NotPetya cyberattack-and scrutinizes just how far force majeure exclusions can be applied in cyberspace. The article attempts to reveal the significance of the legal qualification of a cyberattack and its attribution to a state for insurance coverage in both general insurance policies, like the one the Mondelez case stemmed from, as well as in insurance policies targeted to cover cyber risk. (c) 2021 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved.