Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar cleanup bill stemming from the sprawling NotPetya ransomware attack in 2017.
The snacks giant originally sued Zurich American Insurance in 2018, after NotPetya completed its global cyber looting of major multinational corporations, and the case has since been stalled in court. Terms of the deal were not disclosed, but a “settlement” would indicate a compromise resolution – illustrating how a thorny issue cyber insurance disclaimers can be.
NotPetya: Act of war?
The lawsuit was based on the contractual terms of the cyber insurance policy – specifically, an exclusion for damages caused by acts of war.
NotPetya, which the US government called in 2018 “the most destructive and costly cyberattack in history”, began by compromising Ukrainian targets before spreading globally, eventually affecting businesses in 65 countries. and costing billions of dollars in damage. It spread rapidly through the use of the EternalBlue wormer exploit in the attack chain, which is a leaked NSA weapon that allows malware to spread from system to system. Microsoft SMB file shares help. Notable victims of the attack included FedEx, shipping giant Maersk and pharmaceutical giant Merck, among others.
In the case of Mondelez, the malware locked down 1,700 of its servers and 24,000 laptops, leaving the company incapacitated and reeling from more than $100 million in damages, downtime, lost profits and costs. of remediation.
As if that weren’t hard enough to swallow, the food kahuna soon found itself suffocated by Zurich American’s response when it filed a cyber insurance claim: Underwriter had no intention of covering costs , citing the aforementioned disclaimer which included the language “hostile or warlike action in time of peace or war” by a “government or sovereign power”.
Thanks to the world governments attribution of NotPetya to the Russian state and the initial mission of the attack to hit a known kinetic adversary of Moscow, Zurich American had a case – despite the fact that the Mondelez attack was certainly unintended collateral damage.
However, Mondelez argued that Zurich American’s contract left crumbs on the table, so to speak, given the lack of clarity on what could and could not be covered by an attack. Specifically, the insurance policy clearly stated that it would cover “all risk of physical loss or damage” — with emphasis on “all” — “to electronic data, programs or software, including loss or damage caused by the malicious introduction of machine code or instructions.” This is a situation that NotPetya embodies perfectly.
Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and medium-sized enterprises (SMEs), notes that the lack of clear wording of the cyber insurance policy has left the door open for Mondelez’s appeal – and should serve as a cautionary message to other hedging traders.
“The extent of coverage and application of wartime exclusions remains one of the most challenging areas for insurers as cyber threats continue to evolve, businesses increase their reliance on digital operations and geopolitical tensions continue to escalate. ‘have a widespread impact,'” she told Dark. While reading. “It is paramount that insurers know the terms of their policy and seek clarification if necessary, but also opt for modern cyber policies that can evolve and adapt to the pace of their risks and exposures.”
There is a glaring problem with ensuring that war exclusions remain valid for cyber insurance: it is difficult to prove that attacks are indeed “acts of war” – a burden that generally requires determining on behalf of who they are conducted.
At the best of times, attribution is more art than science, with a changing set of criteria underpinning any confident finger-pointing. Justifications for attribution of Advanced Persistent Threats (APTs) are often based on much more than quantifiable technological artifacts, or on overlaps of infrastructure and tools with known threats.
Spongier criteria may include aspects such as victimology (i.e., are the targets compatible with state interests and political goals?; the subject of social engineering lures; the coding language; level of sophistication (does the attacker need to have sufficient resources? are they using an expensive zero day?); and motive (is the attack focused on espionage, destruction, or gain There is also the issue of false flag operations, where an adversary manipulates these levers to ensnare a rival or adversary.
“What shocks me is the idea of verifying that these attacks can reasonably be attributed to a state – how?” says Philippe Humeau, CEO and co-founder of CrowdSec. “It is well known that it is difficult to track the base of operations of a decently skilled cybercriminal, as the isolation of his operations is the first line of his playbook. Second, governments are unwilling to admit that they provide cover for cybercriminals in their Third, cybercriminals in many parts of the world are typically a mix of privateers and mercenaries, loyal to the entity or nation-state funding them, but fully expandable and deniable if there are questions about their affiliation.”
This is why, in the absence of a government taking responsibility for an attack in the style of terrorist groups, most threat intelligence firms will caution against state-sponsored attribution with phrases such as “we determine with low/medium/high confidence that XYZ is behind the attack”, and, to boot, different companies may determine different sources for a given attack. If it is so difficult for professional cyber threat hunters to identify the culprits, imagine how difficult it is for cyber insurance experts to operate with a fraction of the skill.
If the standard of proof for an act of war is broad governmental consensus, that also poses problems, Humeau says.
“Accurately attributing attacks to nation states would require legal cooperation between countries, which has historically proven to be both difficult and slow,” Humeau says. “So the idea of attributing these attacks to nation states that will never admit it leaves too much room for doubt, legally speaking.”
An existential threat to cyber insurance?
For Thompson’s point, one of the realities in today’s environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and member of the advisory board at data security firm Theon Technology, notes that if more insurers simply deny all claims arising from such activity, there could indeed be very few payments. And, ultimately, companies may no longer view cyber insurance premiums as added value.
“If a significant number of judges actually start allowing carriers to exclude cyberattack coverage simply after claiming that a nation state was involved, it will be as devastating to the cyberinsurance ecosystem as 9/11 was. has been (temporarily) for commercial real estate,” he says. “As a result, I don’t think many judges will buy into this, and proof, anyway, will almost always be difficult.”
On a different note, Ilia Kolochenko, Chief Architect and CEO of ImmuniWeb, notes that cybercriminals will find a way to use the exclusions to their advantage, further reducing the value of having a policy.
“The problem stems from possible impersonation of well-known cyber-threat actors,” he says. “For example, if cybercriminals – unaffiliated with a state – wish to amplify the damage caused to their victims by excluding possible insurance coverage, they can simply try to impersonate a notorious state-backed hacking group. when they break in. This will undermine confidence in the cyber insurance market, as any insurance can become futile in the most serious cases that actually require the coverage and justify the premiums paid.
The issue of exclusions remains unresolved
Even though the US Mondelez-Zurich settlement would seem to indicate that the insurer was at least partially successful in making its case (or perhaps neither party had the courage to incur additional legal costs ), there is conflicting legal precedent.
Another NotPetya case between Merck and ACE American Insurance on the same issue was put to bed in January, when the New Jersey Superior Court ruled that the act of war exclusions only extended to physical warfare in the real world, which required the underwriter to pay a heap of $1.4 billion toward claims settlement.
Despite the unstable nature of the region, some cyber insurers are pushing ahead with wartime exclusions, including Lloyd’s of London. In August, the market stalwart told its unions they would be required to exclude coverage for state-sponsored cyberattacks from April 2023. The idea, the memo notes, is to protect companies from insurance and their underwriters against catastrophic losses.
Even so, the success of such policies remains to be seen.
“Lloyd’s and other carriers are working to make these exclusions stronger and more absolute, but I think that too will eventually fail because the cyber insurance industry is unlikely to be able to survive such changes for long,” said Theon’s Cunningham.