January 11, 2019

Mondelez sues Zurich over NotPetya cyberattack – but insurer’s act of war argument is the wrong move

By Lucy Ingham

US food giant Mondelez is suing Zurich for $100m after the insurer failed to pay out on a claim for damage caused by the infamous NotPetya cyberattack.

Mondelez, which is behind a host of brands including Oreo, argues that Zurich should pay as its policy covers “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction”.

However, Zurich has refused, pointing to a clause that excludes acts of war.

But, argues Igor Baikalov, chief scientist at cybersecurity company Securonix, this is not the right move if the insurer is to win the case.

Why is NotPetya considered an act of war?

The NotPetya attack, which occurred in 2017, saw computers infected with ransomware that encrypted their file system and prevented them from starting up. Users were instead faced with a demand for payment in Bitcoin, giving affected companies the option of paying significant ransoms or losing vast amounts of data.

NotPetya affected a host of companies, with Mondelez among those hit. The US food company has reported losing 1,700 servers and 24,000 laptops in the cyberattack.

The finger of blame was pointed at the Russian government by a host of security experts and the UK government. It has been argued that the cyberattack was targeting the Ukranian government, with other victims simply being collateral damage.

However, the Russian government has denied responsibility for the attack. And this makes the ‘act of war’ argument highly challenging to prove.

Mondelez sues Zurich: Why gross negligence is a better option

For Baikalov, Zurich does have an argument for denying Mondelez’s claim. However, act of war is not the right approach.

“Instead of a war exclusion clause, Zurich should have invoked a gross negligence clause, which is much easier to prove in this case than an attribution to a nation-state, particularly considering Mondelez was hit twice by the same ransomware,” he said.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn’t happen again.”

Given the increase in popularity of cybersecurity insurance – and the rise in nation state accusations – this case is likely to be highly significant for the outcome of future cybersecurity claims.

“Many victims of data breaches or ransomware attacks cry ‘nation-state!’ as the first response to the incident, even though very few are able to prove it, and lax cybersecurity programs is to blame in most cases,” said Baikalov.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state.

“I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich’s own policy?”

Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,