NotPetya an ‘act of war,’ cyber insurance firm taken to task for refusing to pay out

A lawsuit has been launched against Zurich Insurance Group by Mondelez in a bid to seek a reported $100 million in damages after an insurance claim was not paid out in relation to a NotPetya cyberattack.

The case, filed with the Cook County court in Illinois (case: 2018 L 011008), alleges that Spanish food giant Mondelez’ insurance company Zurich did not pay out following the attack, which took place in 2017.

An outbreak of NotPetya impacted businesses worldwide, including TNT, Ukrainian banks, energy companies, airports, and shipping giant Maersk. 

In Mondelez’ case, factories were disrupted and production stopped as staff struggled to wrestle back control of their computers. In turn, the NotPetya attack would have hit the firm’s profit margins.

NotPetya is a type of ransomware similar to Petya but it received a raft of upgrades and increased in sophistication before being released to the point researchers separated the malware out into its own family.

The ransomware will often use the EternalBlue and EternalRomance exploits to propagate. Once executed on a vulnerable Windows machine, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransomware note which demands $300 in Bitcoin (BTC).

See also: Your 2018 guide to cyber insurance is here

As reported by Bloomberg, the Mondelez-Zurich dispute has been given an interesting facet in the field of cyber insurance due to attribution, and one which has the potential to prompt insurance companies worldwide to reexamine their policies.

The US government said the cyberattacks were the work of the Russian military and were part of the “Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”

The claim was later found to be a coordinated diplomatic action between countries including the US, Australia, UK, Denmark, Lithuania, Estonia, and Canada, all of which were critical of Russia for the NotPetya spread.

Russia has denied involvement but the public link to NotPetya has had an interesting effect on this lawsuit.

It is reported that Mondelez attempted to claim $100 million on its insurance policy due to the damage NotPetya caused to thousands of servers and laptops, not to mention the theft of credentials, abandoned customer orders and other losses caused by the malware outbreak. 

CNET: iPhone set to match Android security with new Yubico hardware key

While the insurance policy covered “physical loss or damage to electronic data, programs, or software” by way of “the malicious introduction of a machine code or instruction,” Zurich apparently chose not to pay up, citing the NotPetya spread as “hostile or warlike action in time of peace or war,” which, therefore, voided the claim.

Marsh & McLennan argues, however, that as NotPetya struck non-military targets who operated “at places far removed from the locale or the subject of any warfare;” the damage caused was purely economic rather than resulting in any loss of life or injury, and “the chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for “coercion or conquest,” which the war exclusion was intended to address.”

“As cyber-attacks continue to grow in severity, insurers and insurance buyers will revisit the issue of whether the war exclusion should apply to a cyber incident,” said Matthew McCabe, senior VP of Marsh. “For those instances, reaching the threshold of “warlike” activity will require more than a nation-state acting with malicious intent […] most nation-state hacking still falls into the category of criminal activity.’

TechRepublic: CES 2019: How Winston can protect consumers and smart offices from identity thieves

By attributing the attacks to Russia, governments have created a cyberwarfare dialogue which may be used in other lawsuits in the future as part of a defense. Acts of war are difficult to claim against, but on the other hand, any attributed attack may end up being considered part of this narrative — leaving victims to pick up the tab despite any insurance policies in place.

Update 12.03 GMT: Zurich declined to comment on the ongoing lawsuit.

ZDNet has reached out to Mondelez and will update if we hear back. 

Previous and related coverage