Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance (ft.com)

Posted by msmash on from the up-next dept.

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.

[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.

52 of 73 comments (clear)

  1. no subject by fluffernutter · · Score: 4, Insightful

    If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:no subject by Oswald+McWeany · · Score: 1

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Let's test out your theory!

      What's your address?

      --
      "That's the way to do it" - Punch
    2. Re:no subject by Nidi62 · · Score: 2

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Especially if you did it twice since, according to the alt source, Mondelez got hit by NotPetya several times. As they say in Texas: "Fool me once, shame on me. Fool me twice, not....not gonna fool me again." Or something. I hope Zurich wins so that companies actually start seeing a financial incentive towards basic system security.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:no subject by N1AK · · Score: 1

      I'm really not sure on the point of this post. Your home insurance will include requirements about how the property is secured, and a sign asking people to take your stuff would invalidate cover that only covered theft or damage as you'd struggle to argue it was either; all of which has sweet f.a. to do with cyber liability insurance.

      Clearly some more informed people are surprised that Mondelez payout was refused; which at least implies that it isn't simply clear breaches of the terms of the agreement, or that industry practice had been to previously pay claims in similar circumstances.

    4. Re:no subject by postbigbang · · Score: 1

      Oh, were things that simple.

      Admit that almost every platform has unknown zero-day cracks in existence today. If it's not a local three-letter agency, "state actors", various organized entities, clever coders, or others, most all platforms have cracks. Employing risk mitigation and asset protection schemes doesn't seem to be working.

      Look at any summary of 2018 cracks, and the list is long. Billions of records were spilled into someone's bit bucket, or ransomed.

      So one insures one's assets. The devil of the policy details dictates what should be settled. Even if there wasn't strict due diligence, there is often liability recourse on the part of the policy holder. The insurance company may have liability.

      This is where the lawyers get rich, the insurance company gets mad and starts bribing the legislatures/pols to get laws changed in their favors, the process of getting the gendarmes involved, etc. It's a well-known process, now eventually coming to code near you.

      --
      ---- Teach Peace. It's Cheaper Than War.
    5. Re:no subject by jellomizer · · Score: 2

      That isn't an Apt anthology.
      It is more like you didn't lock your windows on your second floor. The crook, just use a ladder and got in stole your stuff and your home insurance which was to help cover theft didn't cover it because your house wasn't a fortress.

      The problem with IT Security today, nearly every system needs military grade security on them. Which is often expensive, and hinders the overall usefulness of the IT Infrastructure.

      This is why these companies buy Cyber hack insurance, to help make sure hacks don't kill the business. Now for the Insurance Company, it really should have done a better risk assessment and charged Mondelez based on their risk, gave them help on improving secure, or just rejecting to cover them as being too risky.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:no subject by fluffernutter · · Score: 2

      If said company wants to use technology with cracks then it is up to said company to stay ahead of such cracks. Yes it can be expensive and complicated, not my problem. Maybe companies should demand more secure software.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    7. Re:no subject by fluffernutter · · Score: 1

      Companies need to demand secure software. If it was easy enough for a crook to climb a ladder and get in a second floor window, I would lock the second floor windows and I wouldn't ever install a window without a lock again.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    8. Re: no subject by The+Grim+Reefer · · Score: 1

      9800 Savage Rd. Apt 6272 Ft. George G. Meade MD 20755-6000

      Edward Snowden didn't seem to have any trouble with that address.

    9. Re:no subject by postbigbang · · Score: 2

      That's the (w)hole point. What are due diligence and best practices against an unknown zero-day? Companies DO demand more secure software, operating platforms, monitoring, intrusion detection, and more.

      They're up against an obscene number of known uncorrected problems as well as unknown, uncorrected problems. Stuff happens.

      The car analogy is you hit black ice, which you couldn't see, and you spin out of control and hit something. In that case, your insurance pays anyway. You did your best, and there are minimum speed limits on most roads and you watched as well as you could and you hit the ice and spun out anyway.

      I do not believe, however, than "expensive and complicated" has to be the rule. Although there may be the rare exception, everyone using a computer in the US, where I live, has been a victim of an authorized disclosure.

      And no one says, gimme that insecure software stuff, 'cause it looks juicy. Instead, they click on a phish that loads them with a dose of malware, and wittingly or not, become an infection vector.

      --
      ---- Teach Peace. It's Cheaper Than War.
    10. Re:no subject by Anonymous Coward · · Score: 1

      I hope Zurich wins, so that insured companies learn they can't just pay a pittance to an insurance company to cover them if they want to avoid paying for proper security. Instead they will learn it will cost a LOT of $$$$ to pay an insurance company to cover them, as they will have to pay a lot more for a policy that would cover that sort of attack.

      On the other hand, I hope that the insured company wins so insurance companies learn to REALLY raise their rates: That way the insured companies will find out it will cost a lot more $$$$ to pay an insurance company to cover them.

      Either way, companies are going to find out that the cyberinsurance that will cover their "industry standard" crappy security is going to be a LOT more expensive.

      At that point they can either pony up more $$$ to the insurance companies, or they can implement better security practices, or they can insist that the IT hardware and software they buy is more secure than it is now. The bar for "industry standard" security will have to be raised from "meh, who cares. Equifax got hacked and wound up making money from it" to "we better do a decent job of this or it will cost us".

    11. Re:no subject by fluffernutter · · Score: 1, Flamebait

      If software companies can't prevent zero day exploits then they shouldn't be releasing internet facing software.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    12. Re:no subject by Vitriol+Angst · · Score: 1

      I'm not sure who has the better case here, but I can predict that insurance companies are going to start auditing companies they insure for cyber damage to see if they have some resiliency.

      No insurance company is going to want to cover a business that stores oil soaked rags and gasoline next to the furnace.

      --
      >>"ad space available -- low rates!!!"
    13. Re:no subject by shess · · Score: 1

      Companies need to demand secure software. If it was easy enough for a crook to climb a ladder and get in a second floor window, I would lock the second floor windows and I wouldn't ever install a window without a lock again.

      To be fair, often enough it's more like they didn't even know they had second-floor windows, because they had never gone upstairs. Which is not to let them off the hook, the stairs were there, they could have checked.

      Of course, this being software, it's like you have a million sets of stairs, some go upstairs, some go downstairs, some are dimensional portals, but the majority of them end in a brick wall or sewer, so checking them is no fun at all.

      I dunno, comparing software security to real-life security is like comparing fish to bicycles.

    14. Re:no subject by bondsbw · · Score: 1

      Then what is the point of such insurance?

      You don't have car insurance if your car is 100% guaranteed never to get in an accident.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    15. Re:no subject by Anonymous Coward · · Score: 2, Interesting

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      In this case, it's more like you locked your door, but someone exploited a weakness and gained access.

      If this was a straight hack, then I assume Zurich has no wiggle room.

      What seems to be described in TFS is that since people are attributing this to government sponsored hackers, the exclusion of 'warlike or hostile' activity applies.

      This would create two different classes for purposes of insurance ... one where the hack was by non-government entities, and one where the hack was by government entities.

      Since you can't really prove the claim it was government, how do you know the clause applies?

      This is interesting, because it basically would give insurers an out to say "hey, that was a hostile act by a foreign government, therefore your policy doesn't apply".

      In reality, your analogy has no bearing on the situation, because it's wrong.

    16. Re:no subject by Immerman · · Score: 1

      An abacus.

      Or any of the above, on a computer not connected to a network. Can't exploit a flaw you can't access.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    17. Re:no subject by thegarbz · · Score: 1

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Simplifying the spread of NotPetya like this (incorrectly I may add) serves zero purpose. It doesn't help people understand what went wrong, it doesn't help people understand how it worked, and it doesn't help people at all with the topic at hand given the insurance company is not saying you left your door open, but rather than Kim Jong Un came and broke it down.

      Please keep stupid discussion to the comments in the Daily Mail. This is Slashdot, we like to believe the comments have a minimum standard.

    18. Re:no subject by Immerman · · Score: 1

      >. If it was easy enough for a crook to climb a ladder and get in a second floor window,

      And if the crook just broke the window, picked the front door lock, or just came in though the wall instead? Physical security is after all almost entirely about making unauthorized entry inconvenient enough that other people are easier targets - not about actually making it terribly difficult to enter. Unpickable locks are almost nonexistent, most can be picked in well under a minute with only moderate skill. Digital locks are generally even less secure. And any criminal worth their salt knows that the door is usually the most secure part of the house anyway, and won't even bother with the lock.

      Perfect security doesn't exist, in any form, because perfect *anything* doesn't exist.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    19. Re:no subject by fluffernutter · · Score: 1

      But is it wrong to say that they should be doing a hell of a lot better?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    20. Re:no subject by fluffernutter · · Score: 1

      Oh christ. I'm not saying we need to delete the internet. I'm saying now that companies are making a shitload of money off of it, maybe they should give a bit of effort towards making it as safe as possible.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  2. Great summary by bistromath007 · · Score: 4, Insightful

    Definitely don't need to know Zurich's position on the matter, thanks for omitting it

    1. Re:Great summary by piojo · · Score: 2

      Definitely don't need to know Zurich's position on the matter, thanks for omitting it

      From the summary: Both companies declined to comment on the case. It appears their position on the matter will be disclosed at court.

      --
      A cat can't teach a dog to bark.
  3. What's new in insurance companies NOT paying? by Lonewolf666 · · Score: 1

    Insurance company refusing to pay with some feeble excuse?

    Happens all the time, they speculate on being not sued because it would be too much hassle for the customer, or said customer cannot afford a lawyer, or whatever. A bunch of crooks as bad as banks. I have sometimes heard bankers called "banksters", but "insuranksters" would also fit.

    --
    C - the footgun of programming languages
  4. This is just asking for trouble by MikeRT · · Score: 1

    I don't know why any insurance company would offer hacking insurance. It is right up there with "terrorism insurance" or giving life insurance to military servicemen in terms of likelihood that you'll get hit with a payout demand.

  5. Client failed to keep systems patched by Mortimer82 · · Score: 4, Interesting

    NotPetya largely used EternalBlue to exploit unpatched Windows computers.

    If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
    I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.

    1. Re:Client failed to keep systems patched by Anonymous Coward · · Score: 2, Interesting

      I agree that it was their own negligence that lead to their exploitation, but unfortunately that's not the grounds on which Zurich is denying their claim. Zurich is denying the claim because they are categorizing the attack as cyberwarfare, rather than categorizing the defense as piss-poor as a paper shield in Hell.

      If they denied the claim based on negligence, that would indeed be the precedent we've all been waiting for, because it would inspire every other insurance company to say "why the hell weren't we doing that before?!" and change their policies accordingly. Once that happens, the future will look a lot brighter for everyone.

      If every insurance company were to educate themselves on proper IT security policies and procedures, they could have risk tables for every possible scenario. Weak passwords, insecure cipher suites and outdated software would lead to getting your claims denied and your premiums jacked up. Strong encryption, salted hash tables, reasonably* updated software and abstinence from Windows could score you a lower premium and a stronger guarantee of having your claim approved. On top of that, if the insurance companies have people on staff who know what the right and wrong things to do are, they could offer IT services for an extra fee, providing technicians who can consult with corporate IT staff in order to develop migration strategies for their software and workflow that meet the requirements for saving more on their insurance.

      But that's not what's happening today. Today, we're seeing the normal kind of duck-and-weave bullshit we're used to seeing from insurance companies. They've found some clever way of denying the claim, this time by capitalizing on anti-Russian hysteria. It would have been much easier to deny the claim based on negligence. I don't know why they wouldn't have gone with that route, it would be much easier to prove that their client couldn't have been hit by NotPetya if they were more careful, rather than being faced with the task of proving that a nation state actor had targeted their client during a time of war. Last I checked, Oreo cookies weren't made in Ukraine. Not the ones I've been eating, anyway.

      * Obviously, in a corporate environment, updates can't be applied as quickly as you would on a home system. They need to be tested on a closed system and carefully deployed. Just don't take over five fucking years to update openssl like countless companies have been caught doing lately.

    2. Re: Client failed to keep systems patched by Mortimer82 · · Score: 1

      Thank you for the clarity on the grounds of denial, knowing this I now have the same feelings as you on the matter.

    3. Re:Client failed to keep systems patched by q4Fry · · Score: 1

      +1 Insightful

  6. Cheap out by fluffernutter · · Score: 1

    Here we are in the 21st century and companies are still clearly confused on how expensive using IT really is. They cheap out and then act surprised when there is a hack.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  7. Duty of care by sjbe · · Score: 2

    If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

    Nice strawman you have there.

    That's not what happened and you know it. The question will (should?) come down to whether reasonable duty of care was exercised on the part of the plaintiff and whether the insurance contract was violated by failure of the plaintiff to take reasonably expected security measures and to implement them with reasonable competence. All modern systems have security holes so perfection is not a reasonable expectation.

    1. Re:Duty of care by fluffernutter · · Score: 1

      "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:Duty of care by drinkypoo · · Score: 1

      "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

      Perfection is not a realistic goal. You get as close as you realistically can, and you spend a reasonable amount of time trying to get closer on the next pass. With that said, few people would argue that enough is being done...

      It would probably much more than double the software cost, but putting that aside, you'd need substantial hardware changes as well. And no doubt some of those would incur performance penalties, which in turn means needing more silicon to do the same job.

      I think there's a market for a platform like that, but it's not realistic to imagine that the world would abandon less-secure platforms for it without being forced to.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Duty of care by laie_techie · · Score: 1

      "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

      WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

    4. Re:Duty of care by fluffernutter · · Score: 1

      I'm not asking for perfection. The UI can still be messed up so it's not perfect.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    5. Re:Duty of care by drinkypoo · · Score: 1

      I'm not asking for perfection. The UI can still be messed up so it's not perfect.

      I thought we were having a serious conversation about how networking is hard when it gets complex. To my mind we need a mesh internet in order to go forward, which comes with all kinds of new problems with routing. Multi-level web of trust, anyone? Good times.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Underwriting by sjbe · · Score: 1

    I don't know why any insurance company would offer hacking insurance.

    You can insure anything profitably provided you can charge adequately high premiums. To do that you need to have data about the likelihood of an incident and the financial burden that will result.

    It is right up there with "terrorism insurance" or giving life insurance to military servicemen in terms of likelihood that you'll get hit with a payout demand.

    Evidently you aren't an actuary. Have you actually looked at the risk tables for those activities? The insurance companies have. Yes military service is a dangerous job but you can be assured that fact is priced into the premiums they pay. Insurance companies aren't staffed by idiots and unlike you they actually do the math to figure out the risk/reward for writing a policy. Expected payouts are priced into the model.

  9. The 100M$ question is: Was it Cyberwar? by Confused · · Score: 5, Informative

    Many comments didn't seem to pick up why Zurich is refusing:

    Zurich asserts the attack was done by some foreign government in a hostile or warlike manner, which is excluded from coverage.
    The prime suspect in this case would be Russia.

    It's very common to exclude damages from war in insurance contracts. With foreign nations doing state sanctioned or organised hacking, this becomes very favourable for Zurich. They basically say, we cover only damage from script kiddies, not from foreign secret services waging a cyberwar against the USA.

    Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.

    1. Re:The 100M$ question is: Was it Cyberwar? by bill_mcgonigle · · Score: 1

      Right. All Zurich has to do is prove it was a foreign government. This should be interesting to given the NSA's leak of EternalBlue and the CIA's misattribution tools. My guess is US "intelligence" cost Zurich $100M in this one instance (among many).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:The 100M$ question is: Was it Cyberwar? by najajomo · · Score: 1

      “Mondelez originally made claims for the cost of these damages on its property insurance policy, taken out with Zurich. The policy suggested it was covered for physical loss or damage to electronic data, software and physical damage caused by the malicious code or instruction.” link

      @Confused: “.. Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.”

      Yea, it's about your cyber-insurance covers you for loss of data caused by malicious code or instruction, except when you get hacked.

  10. Re:NEVER by FictionPimp · · Score: 1

    Like antivirus, most of the time it's a checkbox required for some kind of compliance. My last company has insurance like this because it was the only way we could get contracts with large companies. No insurance = no sale.

  11. Uncertainty will go away soon by davidwr · · Score: 1

    When contracts come up for renewal, insurance company liability will be spelled out and priced in.

    Company seeking renewal: What's this clause about not covering cyber events?

    Insurance agent: On that's standard now. However, if you want coverage, we'll be glad to sell you a rider, for $MUCHMORETHANYOUPLANNEDFOR.

    Company seeking renewal, after shopping around and finding all financially-sound insurance companies are either not covering cyber events or charging a lot to cover them: Um.....

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  12. Proving it was or wasn't is HARD by Bruce66423 · · Score: 1

    The recent news blaming a 20 yo in his parents' bedroom for the hack of sensitive data about German politicians which was originally blamed on 'state actors' has confused the situation a great deal.

    https://www.theguardian.com/wo...

    It also reminds us that at least some states aren't bothering to defend themselves properly.

  13. You too? by LostMyBeaver · · Score: 1

    I was just wondering how you can file a claim regarding a hack which almost definitely was due to having piss poor security.

    I have worked with national banks who whine about being hacked when they pretty much just leave the door open.

    Rule 1) Cisco, Checkpoint, Pali Alto; etc:.. they do not sell security solutions. They sell overpriced door locks that keep the honest people honest.

    Rule 2) If your company actually got hacked or suffered losses due to a hack, it almost certainly is because you spend too much money on security experts and not nearly enough on security.

  14. Vendor by ArthurVandelay9092 · · Score: 1

    Hold the vendor accountable. Sue Oracle for your Solaris distribution being bugged and flawed. Sue Cisco for their iOS having security holes. Sue Microsoft and VMware. Why we donâ(TM)t because we sold out years back and installed Linux in our datacenters and now the only people held accountable are ourselves. Nicely done!

  15. Perfect security = impossible by sjbe · · Score: 1

    "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

    "Double the cost"? HAHAHAHAHAHA... Oh wait, you were serious? Even if it were possible to get perfect security with no holes (it isn't and never will be) it would cost FAR more than double to get even close. The cost of security isn't some linear function. And if you increase the cost too much then the computer system becomes too costly to justify in the first place.

    You can argue they didn't do enough to rise to a reasonable duty of care. It is completely ridiculous to argue that perfect security is even possible much less expected.

  16. No license cost != no cost to use by sjbe · · Score: 1

    WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

    Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.

    1. Re:No license cost != no cost to use by laie_techie · · Score: 1

      WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

      Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.

      WHOOSH! Has./ degraded so much I must annotate when the intended sarcasm should have been apparent? Also, opensource freeware is released under a license (such as GPL or BSD

  17. Never cared for them by AndyKron · · Score: 1

    I've never liked Oreo cookies.

  18. RedMonk: Tragedy of the Commons Clause by najajomo · · Score: 1

    “.. the ability of the developers within a given enterprise to use and rely on open source at scale is dependent on its acceptance by that enterprise’s legal department .. The end result is the policies which countless developers operate under today which specify which licenses are approved and which are not.” RedMonk

  19. NotPetya was not Cyber “War” by najajomo · · Score: 1

    “The debate over whether the war exclusion could have applied to NotPetya demonstrates that if insurers are going to continue including the war exclusion on cyber insurance policies, the wording should be reformed to make clear the circumstances required to trigger it. Absent that clarification, insurers and insurance buyers must default to the Law of Armed Conflict, including rulings that might be more than a century old, to discern between the categories of criminal activity and warlike actions. As for the latter, all precedent indicates that NotPetya simply didn’t reach that level.” link

  20. Re:NEVER by mrclevesque · · Score: 1

    "Anytime a company has hack insurance, that tells me their management doesn't trust the I.T. staff ..."

    Sounds right in this case:

    https://www.itpro.co.uk/securi...

    "Instead of a war exclusion clause, Zurich should have invoked a gross negligence clause, which is much easier to prove in this case than attribution to a nation-state, particularly considering Mondelez was hit twice by the same ransomware," he said. The "fool me once" proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again."