Mondelez International, maker of Oreos and Ritz Crackers, is sued in a lawsuit against a cyber insurance company after providers refused to cover multi-million dollar cleanup claims resulting from the widespread NotPetya ransomware attack in 2017. Reconciled.
Originally a snack giant brought a suit NotPetya filed a lawsuit against Zurich American Insurance in 2018 after completing a global cyber ransack against a major multinational corporation. tied up in courtThe terms of the deal were not disclosed, but the ‘settlement’ marks a compromise solution, demonstrating just how thorny cyber insurance exclusion clauses can be.
NotPetya: An act of war?
The lawsuit rested on the terms and conditions of cyber insurance policies, specifically the exclusion of damages caused by acts of war.
Not PetyaThe attack, dubbed by the U.S. government in 2018 as “the most devastating and costly cyberattack in history,” began by compromising targets in Ukraine and then spread globally, eventually affecting companies in 65 countries. caused billions of dollars in damage. spread rapidly thanks to the use of EternalBlue Worm Exploit This is a leaked NSA weapon that allows malware to self-propagate from system to system using Microsoft SMB file sharing. Notable victims of the attack include FedEx, shipping giant Maersk, and pharmaceutical giant Merck.
In the case of Mondelez, the malware locked down 1,700 servers and a staggering 24,000 laptops, crippling the company and causing over $100 million in damage, downtime, lost profits, and repair costs. .
As if that wasn’t tough enough to swallow, Food Kahuna quickly found itself choking on the response from Zurich American when it filed a cyber insurance claim. The term “hostile or belligerent conduct in time of peace or war” by a “government or sovereign state”.
Thanks to World Government’s attribution of NotPetya to the Russian state and the original purpose of the attack to attack a known dynamic adversary in Moscow, Zurich American believes that the Mondelez attack was indeed unintended collateral damage. filed a lawsuit despite the fact.
But Mondelez argued that Zurich American’s contract left controversial breadcrumbs on the table, so to speak, given that it wasn’t clear what could and couldn’t be covered in offense. policy covers “all risks of physical loss or damage” (emphasis “all”) to electronic data, programs, or software, including loss or damage caused by malicious introduction of machine code. ) clearly states that it covers . or instructions. ” This is a situation that NotPetya perfectly embodies.
Carolyn Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and medium-sized businesses (SMBs), said the lack of clear cyber insurance policy wording opened the door for Mondelez’s appeal. It states that it should remain hidden and act as a warning message. To others negotiating coverage.
“Application of coverage and war exclusion remains the most challenging area for insurers as cyber threats continue to evolve, businesses increasingly rely on digital operations and geopolitical tensions continue to have far-reaching implications. one of them,” she told Dark. read. “While it is of utmost importance for insurers to be familiar with the terms of their policy and seek clarification where necessary, it is also important to choose a modern cyber policy that can evolve and adapt to the pace of risk and exposure. It is important.”
There is one obvious problem with making the war exclusion stick to cyber insurance. He has difficulty proving that the attack was in fact an “act of war.” This is a common burden of having to determine for whom the attack was carried out.
At best, attribution is more art than science, with a shifting set of criteria underpinning confident denunciations. Advanced Persistent Threat (APT) attribution rationale often relies on much more than quantifiable technology his artifacts or infrastructure and tools overlap with known threats doing.
Squishier’s criteria include aspects such as: victimology (i.e., are the goals consistent with national interests and policy objectives?; social engineering lurescoding language; level of sophistication (does the attacker need to have enough resources? Did they use an expensive zero-day?); espionage, destruction, or financial gain?).There is also the issue of false flag operationone enemy operates these levers to frame a rival or foe.
“What strikes me is the idea of verifying that these attacks can reasonably be attributed to nation states – how?” said Philippe Humeau, CEO and co-founder of CrowdSec. I’m here. “It is well known that it is almost impossible to trace the operational base of sufficiently skilled cybercriminals because airgapping their operations is the first line of their strategy. The eye is that governments are really reluctant to admit that they provide measures to protect cybercriminals.Third, cybercriminals in many parts of the world typically A mix of mercenaries, loyal to the entity/state funding them, but fully extensible and subject to denial if any question arises as to their affiliation.”
So when governments don’t take responsibility for attacks like terrorist organizations, most threat intelligence companies use phrases like “low/medium/high confidence that XYZ is behind the attack” to warn of state-sponsored attribution. , to launch, different companies may determine different sources of a particular attack. If it’s so hard for professional cyberthreat hunters to identify culprits, imagine how hard it would be for cyber insurance adjusters to operate with just a fraction of their skill set.
If the standard for evidence of acts of war is a broad government consensus, this also poses a problem, says Humo.
“Accurately attributing an attack to a state would require transnational legal cooperation, which has historically proven difficult and time-consuming. ,” Humo says. “So the idea of attributing these attacks to a nation-state that is absolutely ‘no fuss’ is, legally speaking, too much to question. ”
An existential threat to cyber insurance?
Thompson points out that one of the realities of today’s environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and advisory board member for data security firm Theon Technology, said that if more insurers simply denied all claims resulting from such activity, they would actually pay out far less. said it could be. Ultimately, businesses may not be worth their cyber insurance premiums.
“If a significant number of judges actually start allowing carriers to exclude cyber-attack compensation solely on the basis of allegations of state ), it will be as devastating to the cyber insurance ecosystem as it has affected,” he says. “As a result, I don’t think many judges will accept this, and proof will most likely be difficult anyway.”
Put another way, Ilia Kolochenko, chief architect and CEO of ImmuniWeb, says cybercriminals will find ways to use exclusions to their advantage.
“The problem stems from the potential impersonation of well-known cyberthreat actors,” he says. “If, for example, cybercriminals unaffiliated with any state want to extend the damage they inflict on victims by excluding eventual insurance coverage, they simply want to use a well-known state-backed hacking groups, which undermines trust in the U.S. In the most serious cases where you actually need coverage and justify the premiums you pay, which insurance because it can be useless.”
Exclusion Issues Remain Open
The US settlement of Mondelez and Zurich appears to indicate that the insurers have at least partially defended their claims (or perhaps neither side has the willpower to incur further litigation costs). was not), but there are conflicting legal precedents.
Another NotPetya case between Merck and Ace American Insurance An issue on the same issue was resolved in January when a New Jersey superior court ruled that the act of war exclusion only applies to real-world, physical warfare.
Despite the volatile nature of the region, some cyber insurers from now on Exclusion of war, especially Lloyds of LondonIn August, the market stalwart told the syndicate that it should exclude coverage for state-sponsored cyberattacks starting in April 2023. to protect against catastrophic loss.
Yet, we have yet to see such a policy succeed.
“Lloyds and other insurers are working to make such exclusions stronger and more absolute, but I think this too will ultimately fail because the cyber insurance industry It’s likely that they won’t be able to withstand such changes for long,” said Cunningham of Theon.