Ride The Lightning

Earlier this month, I read a fascinating story from CPO Magazine and another from ZDNet about the refusal of Zurich American Insurance Company refusing to pay out a $100 million claim from consumer packaged goods company Mondelez, which was one of the biggest victims of the NotPetya ransomware attack in June 2017.

Zurich's claim? The NotPetya attack was an act of cyber war and therefore not covered by the policy. Really? What a test case this will be.

According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.

Mondelez totaled up all the damage that resulted from the NotPetya ransomware attack, filing a cyber risk insurance claim, coming up with the figure of $100 million as the total damages resulting from the loss of 1,700 servers and 24,000 laptops, as well as the loss of thousands of user credentials, unfilled orders and other related economic losses from the security breach.

Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war."

Zurich American Insurance Company points to the official statements of national security officials from the UK, Canadian and Australian governments, all of which blamed Russia for the cyber attack in February 2018. Even the White House in the United States said the cyber attack was part of Kremlin efforts to destabilize the Ukrainian government. Moreover, all of these Western governments specifically noted that the first NotPetya attack occurred in Ukraine before spreading out around the world to impact companies like Mondelez.

Mondelez was outraged. Company executives called Zurich’s actions “unprecedented,” and insurance industry insiders say that Zurich’s actions could set a “nasty new precedent” about what cyber insurance covers. Many are now worried that any time there is a cyber attack or data breach, an insurance company offering cyber insurance can simply claim that it was due to an “act of cyber war,” and reject the claim.

The burden of proof falls on the insurance company. Zurich will have to prove that NotPetya was, indeed, an act of cyber war. That may be very difficult indeed. While intelligence agencies blamed Russia for the attacks, they provided no proof of an attack.

It wasn’t just Mondelez that was left reeling by the cyber attack – shipping giant Maersk projects that its total losses were close to $300 million, while global logistics giant FedEx says that its losses were also in the neighborhood of $300 million.

So just imagine what would happen if the world’s top insurance companies are suddenly faced with the prospect of “once in a lifetime” events happening every few months. It has the potential to bring down the entire insurance industry, or at least, the cyberinsurance industry. Just as some insurers refuse insurance policies for homeowners located in the middle of hurricane or earthquake zones, they might start refusing to write cyberinsurance policies for large organizations that deal with personal data and information.

What will the courts decide the policies mean? How will they define a "cyber war?"

And from the consumer point of view, how much can you count on your cyber insurer to bail you out? Isn't that why you bought the insurance? Zurich's refusal to pay has met with a lot of backlash.

E-mail: snelson@senseient.com   Phone: 703-359-0700Digital Forensics/Information Security/Information Technology