Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.

[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.

Client failed to keep systems patched

[Mortimer82]

NotPetya largely used EternalBlue to exploit unpatched Windows computers.

If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.

Re:Client failed to keep systems patched

I agree that it was their own negligence that lead to their exploitation, but unfortunately that's not the grounds on which Zurich is denying their claim. Zurich is denying the claim because they are categorizing the attack as cyberwarfare, rather than categorizing the defense as piss-poor as a paper shield in Hell.

If they denied the claim based on negligence, that would indeed be the precedent we've all been waiting for, because it would inspire every other insurance company to say "why the hell weren't we doing that before?!" and change their policies accordingly. Once that happens, the future will look a lot brighter for everyone.

If every insurance company were to educate themselves on proper IT security policies and procedures, they could have risk tables for every possible scenario. Weak passwords, insecure cipher suites and outdated software would lead to getting your claims denied and your premiums jacked up. Strong encryption, salted hash tables, reasonably* updated software and abstinence from Windows could score you a lower premium and a stronger guarantee of having your claim approved. On top of that, if the insurance companies have people on staff who know what the right and wrong things to do are, they could offer IT services for an extra fee, providing technicians who can consult with corporate IT staff in order to develop migration strategies for their software and workflow that meet the requirements for saving more on their insurance.

But that's not what's happening today. Today, we're seeing the normal kind of duck-and-weave bullshit we're used to seeing from insurance companies. They've found some clever way of denying the claim, this time by capitalizing on anti-Russian hysteria. It would have been much easier to deny the claim based on negligence. I don't know why they wouldn't have gone with that route, it would be much easier to prove that their client couldn't have been hit by NotPetya if they were more careful, rather than being faced with the task of proving that a nation state actor had targeted their client during a time of war. Last I checked, Oreo cookies weren't made in Ukraine. Not the ones I've been eating, anyway.

* Obviously, in a corporate environment, updates can't be applied as quickly as you would on a home system. They need to be tested on a closed system and carefully deployed. Just don't take over five fucking years to update openssl like countless companies have been caught doing lately.

Re:no subject

If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

In this case, it's more like you locked your door, but someone exploited a weakness and gained access.

If this was a straight hack, then I assume Zurich has no wiggle room.

What seems to be described in TFS is that since people are attributing this to government sponsored hackers, the exclusion of 'warlike or hostile' activity applies.

This would create two different classes for purposes of insurance ... one where the hack was by non-government entities, and one where the hack was by government entities.

Since you can't really prove the claim it was government, how do you know the clause applies?

This is interesting, because it basically would give insurers an out to say "hey, that was a hostile act by a foreign government, therefore your policy doesn't apply".

In reality, your analogy has no bearing on the situation, because it's wrong.