The Mondelez legal case filed against Zurich - regarding a claim the company made for damages incurred from the NotPetya attack - could have far-reaching implications for cyber-attack insurance
Zurich and Mondelez are engaged in a dispute over cyber-attack insurance
The legal case filed by multinational food and beverages giant Mondelez against Zurich American Insurance Company is unprecedented in the history of cyber-attack insurance – but it could have far-reaching implications for similar claims in the future.
Mondelez claims that Zurich breached a contract by refusing to pay out for an insurance claim that would cover physical damages and business losses totalling over $100m (£78m).
Zurich’s defence in the case is that NotPetya, the virus introduced to the Mondelez servers, was orchestrated by the Russian military – and not covered by the policy Mondelez purchased due to an exclusion under an act of war exclusion by a “government or sovereign power”.
Here we look at what the cyber-attack involved and examine the implications of the case, which was filed in October 2018, on the cyber insurance sector.
What was the NotPetya cyber-attack?
NotPetya was one of three major cyber-attacks, also including WannaCry and Petya, that used two exploits leaked from the US National Insurance Agency.
These were called EternalBlue and EternalRomance, and were used to penetrate systems running Microsoft Windows software and infect other machines connected to the same network.
The first attack, Petya, was first discovered in March 2016, with WannaCry and NotPetya attacks taking place in May and June 2017 respectively.
NotPetya differed from the earlier WannaCry and Petya attacks in that it was not engineered to extort money from the users of infected systems – a practice known as ransomware.
Instead, it was designed only to masquerade as ransomware and commit as much damage as possible to systems within a network.
The UK and US governments both publicly blamed NotPetya on Russia, but WannaCry was blamed on North Korea.
Petya was reportedly spread by various groups, but is known to have been authored by Janus Cybercrime Solutions.
NotPetya inflicted a total of $1.2bn (£1bn) worth of damage.
Standalone cyber-attack insurance policies could grow in popularity
Mondelez’s insurance claim was made under its property insurance policy with Zurich – something known in the industry as a silent cyber claim – rather than a standalone cyber policy.
A standalone cyber policy covers policyholders for any kind of cyber-attack so they don’t have to rely on interpreting the wording of an alternative policy to make an insurance claim.
RSA Insurance Group cyber director Nigel Pearson says: “Polices may be silent on the issue of cyber cover and interpretation of the wording is needed to determine if cover applies.
“This is not an ideal situation and it can lead to litigation if the parties have different views.”
The fact Russia was blamed for the wider NotPetya attacks allowed Zurich to use the wording related to “hostile or warlike” actions by a “government or sovereign power” in its policy to deny Mondelez’s claim.
The use of this defence by Zurich means the burden of proof is on the insurer to prove the hack came from Russia, something that Israel-based cyber security expert Check Point say will be very difficult.
“There are attributions of NotPetya to Russia,” says the firm’s security research group manager Yaniv Balmas.
“However, as convincing as these attributions might be, they are speculative. It is doubtful if these types of attribution are robust enough to be upheld as evidence in a court of law.”
The difficulty attributing cyber-attacks has led to speculation about the use of war exclusions as a whole.
“Attribution of a cyber-attack to an individual or indeed a nation state can be very difficult, therefore challenging the basis for the application of a war exclusion in the first place,” says Mr Pearson.
“It is likely we will see the increasing use of exclusions under traditional policies for some cyber event-related outcomes, ultimately pushing cover towards dedicated standalone cyber policies,” he adds.
Nation-sponsored cyber-attacks could undermine policyholder confidence
John Pennick, chairman of the British Insurance Brokers’ Association’s cyber focus group, tells Compelo he expects the trend of alleged nation-state sponsored cyber-attacks to continue into 2019.
“This is not a concern that can’t be ignored,” he says.
The Mondelez case could present a turning point for the cyber insurance market because this is the first time the issue with war exclusion policies has led to legal action.
Should the outcome be in favour of Zurich, it could lead to more companies using the war exclusion condition.
And if there are to be more nation-sponsored cyber-attacks, as the industry predicts, Mr Pennick believes this could result in payment delays that are potentially “financially catastrophic” for policyholders.
He adds: “It is essential the UK cyber insurance market acknowledges this development in cyber risk and provides clarity on what affirmative cover they are prepared to provide.
“Failure of the market to respond positively could greatly undermine policyholder confidence.”
How companies could have been protected from alleged Russian cyber-attacks
The World Economic Forum’s 2018 Regional Risks for Doing Business report showed that the top concern for businesses in Europe and North America was the risk of cyber-attacks.
This is no surprise after 2017’s Petya and NotPetya attacks, but there is a question mark over the security processes of large companies that were affected by the attacks.
According to Check Point, widespread damage could have been prevented if victims had installed the Microsoft Windows patches that prevented the exploiting of the EternalBlue system vulnerability.
The patches had been freely available from Microsoft for more than two months before NotPetya hit.
As well as the need for smart patch management, NotPetya also revealed the weakness of companies relying on a cyber insurance policy without adequately investing in their own cyber security solutions.
Sharon Besser, vice-president of global data centre and cloud security firm GuardiCore, says that cyber security measures could have reduced the damage NotPetya inflicted on companies.
“The likelihood of a breach to happen is very high, so the challenge is how fast the security measures a company has in place can prevent the spread of the breach and protect their data.”
Cyber security software could have been used to isolate and segment the workloads on a company’s systems, according to Mr Besser.
He says: “Isolation limits access or totally disconnects services within a network and micro-segmentation can separate these services to only allow servers to connect to each other using applications that are trusted and necessary for the business.”
These cyber security measures limit the amount of user data that a hacker could access via the segment they managed to breach, preventing them from stealing any other data or from allowing the hack to spread to other servers within a network.
Company budgets could prioritise prevention ahead of cyber-attack insurance
The vast options available to organisations to protect them from cyber breaches could have a profound impact on the cyber insurance sector as companies potentially look towards prevention rather than reaction.
Although cyber insurance is expected to remain a priority for companies in 2019, budget allocation is moving towards investment in solid cyber security infrastructure.
“Organisations are changing their infrastructure by moving data to the cloud and this sort of infrastructure refresh comes with added security spending to protect that data,” says Mr Besser.
Authoritative research and advisory company Gartner released predictions in August last year that showed total security spending for 2019 would exceed $124bn (£96bn), driven mostly by mounting security risks.
Mr Besser believes companies will continue to use cyber insurance, but his prediction is laced with a warning.
He adds: “Organisations will continue to use cyber insurance. I do believe there is merit in this type of cover but they should understand what is covered by the policy
“Events like NotPetya should cause us to rethink our risk in more depth and try to allocate our security budget to prioritise prevention.”