In an unprecedented move, insurance giant Zurich is refusing to pay a $100 million claim for damage made by Mondelez. The US food company, owners of Oreo and Cadbury, made a claim for the damage caused by the NotPetya cyberattack in June 2017, which wreaked havoc on the company and others including Maersk and Merck.
In their refusal, Zurich claims that because countries including the UK, Australia, Canada and the US officially blamed the Russian government for NotPetya, the cyber attack falls under an exclusion in the policy which holds that “hostile or warlike action in time of peace or war” will not be covered.
What Was NotPetya
In June 2017, after its predecessors WannaCry and Petya had done their damage, a new ransomware emerged known as NotPetya. However, NotPetya was only masquerading as ransomware; it was actually designed to commit as much damage as possible to its target systems within a network. The hack utilised two exploits leaked from the US National Security Agency, known as EternalBlue and EternalRomance, which were able to penetrate systems running Microsoft Windows software and then infect other machines connected to that same network.
When it was done, NotPetya inflicted a total of $1.2 billion worth of damage to various companies. Mondelez calculated their own damage at $100 million, attributed to the loss of 1,700 servers and 24,000 laptops, the loss of thousands of user credentials, unfilled orders and other economic losses.
Indeed, in an official statement, the White House alleged that the attack was “part of the Kremlin’s ongoing effort to destabilize Ukraine”, demonstrating “ever more clearly Russia’s involvement in the ongoing conflict.” Russia continued to deny involvement and condemn the Western countries’ “russophobic” campaign.
An Unfortunate Precedent
At the time, it may have been difficult to predict that this political naming-and-shaming would have any serious impact beyond foreign relations. However, when Mondelez filed their claim under the provision of its insurance policy, which covered “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction”, the implications hit home. Zurich denied the claim, labelling the attack an “act of war”, and pointing to the announcements made by multiple governments that attributed the attack to Russian hostility towards Ukraine and the West.
Mondelez has asserted that Zurich’s application of the exclusion clause to a cyberattack, or anything but conventional warfare for that matter, is bizarre and illegal. If Mondelez’s claim fails, the case could set an unfortunate and dangerous precedent.
The Good News
Fortunately for Mondelez, it seems as if the odds are in their favour. The burden of proof rests on Zurich to attribute NotPetya to the Russian government as an act of war. While the government statements are provocative, they are unlikely to be compelling evidence before a court. Indeed, when the accusations were made by the Five Eyes nations, not a single shred of evidence was used to back them up. The evidence may actually exist, but it is probably highly sensitive and not worth the political headache for governments to release.
Cybersecurity firm Check Point asserts that the burden of proof on Zurich is extremely heavy. As convincing as the accusations may be, “they are speculative…[and] it is doubtful if these types of attribution are robust enough to be upheld as evidence in a court of law”, the firm explains. Interestingly, other experts are predicting that nation-sponsored cyberattacks will continue to rise. Chairman of the British Insurance Brokers’ Association’s cyber focus group, John Pennick, suggests that this may lead to more payment delays and lawsuits, which could have financially catastrophic impacts on policy holders.
This case highlights various pertinent issues. Firstly, it demonstrates the danger of over-reliance on insurance policies to cover the damage from cyberattacks, rather that proactively investing in cybersecurity itself. The Vice-President of the global data centre firm GuardiCore, Sharon Besser, asserted that better cybersecurity measures could have at least reduced the damage inflicted by NotPetya. Fortunately, research and advisory company Gartner predicted in August 2018 that security spending in 2019 would exceed $124 billion as companies become more driven by mounting security risks.
Secondly, it shows the need for governments to practice a great deal more caution when tossing around blame for cyberattacks, turning them into pawns for political manoeuvring. These accusations can have far-reaching implications and unintended consequences. Governments should think more deeply about the questionable benefits they receive from their incriminations and weigh them against a growing variety of potential fallouts.
Finally, the case raises the question of what “cyber war” is exactly, and how it should be dealt with. One thing is for certain, however: the realm of cyberspace is evolving much more rapidly than our policies, businesses and rules can keen up with, and this must be remedied.