Zurich insurance refuses payout on NotPetya using 'war exclusion' clause

News by Tony Morbin

Zurich insurance is subject to a $100 million damages claim by US food company Mondelez for not paying out a claim related to the NotPetya cyber-attacks with the insurer citing war exclusion clause.

Zurich insurance is subject to a US$100 million (£78 million) damages claim by US food company Mondelez (which owns Cadbury and Oreo brands) for not paying out a claim related to the NotPetya cyber-attacks with the insurer citing an exclusion clause for "a hostile or warlike action" by a government or sovereign power or people acting for them.

It is reported by the FT that Mondelez had been hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered "permanently dysfunctional". Mondelez made a claim for the costs on its property insurance policy that, it said, provided cover for "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction".

Mondelez court documents say Zurich loss adjusters had initially offered to make a US$10 million (£7.8 million) interim payment but then refused to pay resulting in the lawsuit.

In the cyber-security industry it is widely accepted, and asserted by the UK and US that the Russian government was behind the NotPetya attacks, aimed at Ukraine but with widespread collateral damage including £200 million losses at the Maersk shipping line, as well losses as Merck and Reckitt Benckiser brands Nurofen, Dettol and Durex.

In papers submitted to the Illinois, US court, Mondelez described the use of the 'war' clause as "unprecedented", with Zurich now required to prove Russia was behind the attack.

However, in cyber-security, attribution is rarely 100 percent as the tactics, techniques and procedures used - from code elements to IP addresses - can be spoofed to ‘frame’ or hide behind another actor. As a civil case simply requires the balance of probability, then assertions by government experts that it was Russia could be deemed enough to persuade the court. 

Conversely, a report by professional services company Marsh & McLennan Companies explains why it does not believe NotPetya was an act of war.

The report says; "Conflating the war exclusion with a non-physical cyber-event like NotPetya grows out of two factors: (1) NotPetya inflicted substantial economic damage on several companies, and (2) the US and UK governments attributed the NotPetya attack to the Russian military. These two factors alone, however, are not enough to escalate this non-physical cyber-attack to the category of war or "hostile and warlike" activity.

"These terms of art that have been considered by courts, and the resulting decisions, which are now part of the Law of Armed Conflict, make it clear that much more is required to reach the conclusion of "warlike" action.

"First: What were the effects of the attack? For a cyber-attack to reach the level of warlike activity, its consequences must go beyond economic losses, even large ones. Years before NotPetya, when President Obama was asked to characterise a similar nation-state cyber-attack that inflicted no physical damage but still proved "very costly" for a US company, the president aptly described the incident as "an act of cyber vandalism." For a cyber-attack to fall within the scope of the war exclusion, there should be a comparable outcome, tantamount to a military use of force.

"Second: Who were the victims and where were they located? Did the victims serve a military purpose and did they reside near the actual conflict or "at places far removed from the locale or the subject of any warfare." The most prominent victims of NotPetya operated far from any field of conflict and worked at purely civilian tasks like delivering packages, producing pharmaceuticals, and making disinfectants and cookies.

"Third: What was the purpose of the attack? NotPetya was not a weapon that supported a military use of force. The attack struck just before Constitution Day, when Ukraine celebrates its independence. The resulting chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for "coercion or conquest," which the war exclusion was intended to address."

Sarah Stephens, cyber-specialist for insurance broker JLT was quoted in the press as saying: "It's a pretty brave step to rely on a state-sponsored hack for a war ruling. No one has previously claimed this exclusion. The insurer would have to prove it, and it's so hard to prove the assignment."

Consequently, Igor Baikalov, chief scientist at Securonix suggests in and email to SC Media UK that: "Instead of a war exclusion clause, Zurich should have invoked a gross negligence clause, which is much easier to prove in this case than an attribution to a nation-state, particularly considering Mondelez was hit twice by the same ransomware. The "fool me once" proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again.

"Many victims of data breaches or ransomware attacks cry "nation-state!" as the first response to the incident, even though very few are able to prove it, and lax cyber-security programs is to blame in most cases. Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cyber-security protection is on Zurich's own policy?"

A Zurich insurance spokesperson told SC Media UK that both Zurich and Mondolez are subject to a privacy clause, and it would not comment where there is an ongoing claim, but confirmed that this was the beginning of the process. Next steps could be to take the case to court to test Zurich’s assertion that it was an act of war by a sovereign state, or there could be a settlement where some of the losses being claimed are covered. Industry commentators have suggested that Zurich could be going to the courts because it is such a large amount of coverage for a non-cyber policy, and it may want to ‘weed-out’ this kind of coverage from its general policies. Zurich launched its specific cyber-security insurance policy in the UK last year, though it launched earlier in the US.

In an email to SC Media UK, Matthew Webb, Cyber Line Underwriter at insurer Hiscox commented: "We think cases such as this, where a customer is trying to claim for a cyber-loss under a policy which is not cyber-specific, highlight the need for specially-designed cyber-insurance policies which protect customers from the potentially devastating impacts of cyber attacks.

"Cyber is one of the most significant and rapidly-evolving perils facing businesses and individuals today, and it requires specialist underwriting to provide cover that customers know is tailored to their particular needs. Dedicated cyber policies can also provide access to cyber experts who can assist in the event of an attack.

"In this day and age, being insured against the impacts of cyber-attacks is as essential as insuring a car, office or workforce, and being adequately covered should not be left to chance."

SC Editorial Opinion: For the sake of both the cyber-security industry and the insurance industry, it would be beneficial for the arguments to be thrashed out in court and clarify what reasonable expectations either side can have. With a lack of actuarial data alongside rising incidence of widespread breach, insurance companies are taking significant risks when they enter this market, but establishing cyber-security insurance is seen by many as a potential driver of minimum standards required to get coverage/reduce premiums, thus act as a driver of cyber-security - so long as the insured have an expectation that they will get paid if the worst happens.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews