Updated: Oct 30, 2019
In June, 2017 many organizations were hit by the “NotPetya”, which is malware which masqueraded as a ransomware. Instead of encrypting the target company’s data and extorting money, NotPetya was developed to purposefully inflict as much damage as possible to their systems. Like WannaCry and Petya, NotPetya leveraged the “EternalBlue” and “Eternal Romance” exploits which took advantage of known weaknesses in Microsoft Windows Software. These exploits were developed by the U.S. National Security Agency and were leaked out to the public.
Many of the countries which were affected by NotPetya blamed Russia for the attacks, but Russia denied any involvement in the attacks. It is estimated that NotPetya inflicted $1.2Bn in damages worldwide. One of the companies who was hit by NotPetya was Mondelez International, Inc. Mondelez is an American Multinational food and beverage corporation. Due to the level of damages incurred, Mondelez filed a $100M cyber insurance claim with their provider, Zurich Insurance Group.
Zurich, based on the attributions made to Russia in the attack have denied the claim under an “Act of War” exception clause. (See Below)
Typical “Act of War” clause
“For loss, damage, cost, or expense of whatsoever nature directly or indirectly caused by, resulting from, or in connection with war, invasion, acts of foreign enemies, hostilities or warlike operations (whether declared or not), civil war or mutiny, civil commotion assuming the proportions of, or amounting to, a riot, popular uprising, military uprising, insurrection, rebellion, revolution, or usurped power or act of terrorism, regardless of any other cause or event contributing concurrently or in any other sequence to the loss; or for loss, damage, cost, or expense of whatsoever nature directly or indirectly caused by, resulting from, or in connection with any action taken by a government authority to hinder, control, prevent, suppress, or defend against any of the aforementioned actions; or the confiscation, nationalization, requisition, or destruction of, or damage to, property by, or under the order of, any government authority. “
These types of exclusion clauses are in most Cyber Coverage policies and have, until now, not been executed. Mondelez is currently suing Zurich in an unprecedented case. Zurich is claiming that the malware was introduced to the Mondelez networks by the Russian Military and as such the claim is not covered due to the “Act of War” exclusion clause. Mondelez is claiming breach of contract under their existing policy. This case will have a profound impact on the Cyber Insurance market.
This case points out 2 important items:
First, it is critical to understand what is in your current Cyber policy. Many times, companies are asked to fill out a simple questionnaire prior to the policy issuance. This questionnaire typically asks questions about current security activities. These are generally very simple and subjective questions that allow the provider to underwrite the policy. This does not always align to the covenants in the policy which must be adhered to in order to file a claim.
Second, an ounce of prevention is worth a pound of cure. A comprehensive security program which addresses human, technical and procedural controls will go a long way towards preventing a breach. While there is never a point where all risks have been eliminated, a good program which implements a “Defense-in-depth” strategy and allows an organization to identify and protect critical assets, detect an attack at its earliest stages, and effectively respond to and correct gaps quickly will greatly reduce the impacts and potential losses.
Finally, the outcome of this current case will be interesting to watch and will surely impact all of the current Cyber Policies in some manner.