The confectioner, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptops as the ransomware swept through its systems.
However, Zurich American says the damage was the result of an “an act of war” and therefore isn’t covered in the policy, which covers “all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
Was NotPetya an act of war?
That’s the $100 million question. NotPetya is a Windows-based piece of ransomware that infected organizations across the globe in 2017.
The evidence points towards this. Ukrainian organizations were among the first to be attacked, and the country accounted for 80% of all infections. Later investigations found that the virus was simply masquerading as ransomware, and was in fact designed “to exact maximum destruction and damage”.
In that regard, it was a job well done, with one report estimating that insurers could expect to pay out more than $80 billion (£61 billion) as a result of the attack.
Unfortunately, the criminal hackers had little control over which organizations would be hit beyond the initial injection. The fact that the virus focused almost exclusively on Ukraine was simply good fortune, because malware such as NotPetya and WannaCry, which ripped through the UK just weeks earlier, are specifically designed to spread as far and wide as possible.
That means there will always be many bystanders like Mondelez affected by attacks.
Who is in the right?
Most experts agree that Mondelez has a strong claim despite NotPetya’s relation to Ukraine–Russia tensions. Zurich American initially agreed, offering an initial payment of $10 million.
However, the insurer soon changed its mind, claiming an exclusion for “hostile and warlike action in time of peace and war [by] a government or sovereign power”.
Mondelez called Zurich American’s decision “unprecedented” in court papers. Terrorism and acts of war exclusions are common in insurance policies, but no insurer has ever challenged a claim based on those exemptions.
Rob Smart, technical director at the insurance consultancy Mactavish, believes exclusions for acts of war were “a bit of a grey area” but that it was unlikely the policy’s authors had cyber attacks in mind when inserting the exemption.
That doesn’t make it an open and shut case, but it does mean Zurich American will have its work cut out. With no precedent to cite, it will have to make an overwhelming case and prove that the Russian government was behind the attack, something investigators have thus far failed to do.
Perilous future for cyber insurance
The result of the case will have huge ramifications for cyber insurance policies. The attack is probably as close as we’ll get to the definition of an act of war in terms of cybercrime, so if Zurich American is found liable in US courts, it shuts the door on any other insurer in the country using the exemption.
We’d expect those firms – and, in all likelihood, insurers across the globe – to re-evaluate their policies to create specific exemptions for attacks such as NotPetya.
But if the court finds in favor of American Zurich, organizations will suddenly find themselves far more exposed to cyber attacks than they might have thought. This could lead to huge numbers of organizations dumping their policies and seeking specific protection against large-scale attacks.
Whatever the outcome, organizations must consider whether their cyber insurance policy is fit for purpose. We can’t think of many things worse than spending a chunk of your cybersecurity budget on an insurance policy only for an insurer to tell you after an attack: “It’s all there, black and white, clear as crystal. You get nothing!”
The best way to avoid that is to take the initiative when it comes to cybersecurity. If you spend wisely on security defenses, you can prevent most attacks, respond promptly to breaches and mitigate the damage.
That’s easier said than done, but there’s a middle ground between shouldering the responsibilities of security and relying on an insurance policy.