An Illinois lawsuit filed by snack-food maker Mondelez could have significant ramifications for cyber insurance after Zurich American Insurance rejected claims relating to the NotPetya ransomware virus that paralyzed large organizations in June 2017.
Mondelez is suing Zurich American InsuranceOpens a new window for $100 million after the insurer refused to pay out a claim for losses related to the virus. Zurich argues the virus was an “act of war†and therefore not covered under its policy. In its defense, Zurich is citing US government-supported claims by the British Government that the Russian military was behind the cyber attack as part of its ongoing conflict with Ukraine.
NotPetya is a form of ransomware that threatens to delete files on computers and servers unless a ransom is paid. It has been described as one of the most expensive cyber attacks in history, costing a number of large companies hundreds of millions of dollars in lost revenue. At Mondelez, NotPetya triggered the shutdown of 1,700 servers and some 24,000 laptops, creating chaos at factories and halting production.
The company filed a $100 million claim with Zurich for losses under a clause in its policy covering “physical loss or damage to electronic data, programs or software†caused by “the malicious introduction of a machine code or instruction.†Zurich first offered a $10 million settlement but after its rejection pointed to an exclusion clause in the policy against losses caused by “hostile or warlike action in time of peace or war by any government or sovereign power.â€
Judge to Rule on Russian Involvement
Neither Britain nor the US have offered hard evidence of Russian involvement in the attack. If the case is heard in court, judges will be required to rule on whether NotPetya can be classed as a hostile state act.
The UK and US accused RussiaOpens a new window of launching the NotPetya attacks against Ukraine and targeting companies with strong business ties to the country, including Maersk, TNT and Reckitt Benckiser. The virus spread to corporations worldwide, enveloping Mondelez, WPP and Merck. But Russia denied it was behind the attack.
Some argue that the US is not at war with Russia so that even if that country were behind NotPetya it cannot be considered an act of war. Insurance services firm Marsh & McLennanOpens a new window says that to be considered a “warlike act,†physical destruction from the use of military force must be a factor. However, Zurich’s exclusion does cover hostile acts that occur in peacetime.
Yet, Russia has been involved in a low-level war with Ukraine that has included military intervention since 2014. But Marsh & McLennan points out that the victims of NotPetya such as Mondelez were not located near the point of conflict, making it hard to deem them collateral damage.
It also says that the attack occurred just before Ukraine’s Constitution Day so bore the hallmarks of a propaganda attack rather than military action.
The Costs of Finger-Pointing
According to the UK and US, state-sponsored cyber attacks are on the rise with Iran, North Korea and China as well as Russia targeting infrastructure and corporate interests in western economies. But the danger in such accusations,unsupported by hard evidence, is becoming evident.
If courts believe that these are acts of war, corporations will find they are left without insurance coverage, potentially opening a market for new forms of cyber insurance that cover businesses and organizations for state-sponsored cyber attacks. Such policies could become cripplingly expensive.
If the NotPetya and WannaCry attacks were indeed state-sponsored, they seem to have been effective in creating confusion and high costs for western interests.
Some believe the Mondelez vs Zurich case will be settled out of court and not require a judge’s verdict. But sooner or later, a clear judgement will be required about whether these attacks are acts of war not covered by standard insurance policies.