Specifically, a large international snack food company, Mondelez International, Inc., is suing its cyber insurance company, Zurich American Insurance Company, for $100M after Zurich refused to pay for damages incurred due to a “NotPetya” ransomware attack. During the attack, Mondelez lost thousands of servers and laptops. You may think that ransomware was the entire reason you bought cyber insurance, so how can this be? In a word, “war”. See Mondelez Int. v. Zurich Am. Insurance, 2018-L-011008 (Cir. Ct. Cook County, Ill., Law Div.).
Taking a step back, it is important to understand what “NotPetya” is. “NotPetya” is a type of malware that effectively locks all of an infected computer’s data behind a paywall by encrypting said data. Unless the victim pays a ransom, usually in some form of cryptocurrency (hence the term “cryptolocker” as another euphemism for this kind of malware), the user’s data will be encrypted and unusable forever. If the user pays the ransom, the hacker will supposedly “unlock” or decrypt the data. So you may think “how is some bit of random ransomware an ‘Act of War’ or ‘Act of Terror?’” Well, according to the UK government, “NotPeya” was created by Russian hackers trying to harm Ukraine during the Russian annexation of Crimea. Thus, this particular ransomware was developed to cause chaos within Ukraine for a political purpose, and it was allegedly made by a state actor (despite the Russian government denying the allegations). For this reason, Zurich has argued that “NotPetya” was not mere malware, but actually the product of a hostile action of the Russian government, i.e., an “act of war.” For this reason, Zurich denied the claim.
Should Zurich win this case, it would mean that any malware with an alleged connection to any state actor, terror group, organized crime syndicate with links to terror organizations, or even individual actor with a political motive would be excluded from coverage by cyber insurance policies. Given that so many of the most widespread and damaging malware in existence (see WannaCry, Flame, Petya, NotPetya, Gauss, etc.) are thought to be connected to state actors or terror groups, that would basically make cyber insurance a complete waste of money—like having flood insurance that does not cover floods caused by rain. This is something to keep in mind for anyone with a cyber insurance policy and for those looking for such policies.
It also shows that actively training employees to avoid falling victim to phishing and other social engineering attacks, where most of these exposures happen, is critical to protecting your company. Be proactive, be smart, and make sure every employee from the top to the bottom understands these threats and how to identify them.
About the Author: Cy Alba is a partner and member of the Government Contracts and Small Business Programs groups. He may be reached at firstname.lastname@example.org.