Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Confectionary giant Mondelez is suing Zurich after the insurer refused to pay out over $100m on its insurance policy to cover losses incurred during the NotPetya ransomware campaign.

The owner of Cadbury believes it is owed the money to pay for the permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other disruption to its distribution operations, according to reports.

It believes this falls under its policy’s provision to cover “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, the insurance giant has claimed that an exclusion applies in this case because NotPetya falls under a “hostile or warlike action in time of peace or war” — meaning it doesn’t have to pay up.

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.

However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again,” he added.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich's own policy?”

NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

Source: Information Security Magazine