Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance (ft.com)

Posted by msmash on from the up-next dept.

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.

[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.

12 of 73 comments (clear)

  1. no subject by fluffernutter · · Score: 4, Insightful

    If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:no subject by Nidi62 · · Score: 2

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Especially if you did it twice since, according to the alt source, Mondelez got hit by NotPetya several times. As they say in Texas: "Fool me once, shame on me. Fool me twice, not....not gonna fool me again." Or something. I hope Zurich wins so that companies actually start seeing a financial incentive towards basic system security.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re:no subject by jellomizer · · Score: 2

      That isn't an Apt anthology.
      It is more like you didn't lock your windows on your second floor. The crook, just use a ladder and got in stole your stuff and your home insurance which was to help cover theft didn't cover it because your house wasn't a fortress.

      The problem with IT Security today, nearly every system needs military grade security on them. Which is often expensive, and hinders the overall usefulness of the IT Infrastructure.

      This is why these companies buy Cyber hack insurance, to help make sure hacks don't kill the business. Now for the Insurance Company, it really should have done a better risk assessment and charged Mondelez based on their risk, gave them help on improving secure, or just rejecting to cover them as being too risky.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:no subject by fluffernutter · · Score: 2

      If said company wants to use technology with cracks then it is up to said company to stay ahead of such cracks. Yes it can be expensive and complicated, not my problem. Maybe companies should demand more secure software.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    4. Re:no subject by postbigbang · · Score: 2

      That's the (w)hole point. What are due diligence and best practices against an unknown zero-day? Companies DO demand more secure software, operating platforms, monitoring, intrusion detection, and more.

      They're up against an obscene number of known uncorrected problems as well as unknown, uncorrected problems. Stuff happens.

      The car analogy is you hit black ice, which you couldn't see, and you spin out of control and hit something. In that case, your insurance pays anyway. You did your best, and there are minimum speed limits on most roads and you watched as well as you could and you hit the ice and spun out anyway.

      I do not believe, however, than "expensive and complicated" has to be the rule. Although there may be the rare exception, everyone using a computer in the US, where I live, has been a victim of an authorized disclosure.

      And no one says, gimme that insecure software stuff, 'cause it looks juicy. Instead, they click on a phish that loads them with a dose of malware, and wittingly or not, become an infection vector.

      --
      ---- Teach Peace. It's Cheaper Than War.
    5. Re:no subject by Anonymous Coward · · Score: 2, Interesting

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      In this case, it's more like you locked your door, but someone exploited a weakness and gained access.

      If this was a straight hack, then I assume Zurich has no wiggle room.

      What seems to be described in TFS is that since people are attributing this to government sponsored hackers, the exclusion of 'warlike or hostile' activity applies.

      This would create two different classes for purposes of insurance ... one where the hack was by non-government entities, and one where the hack was by government entities.

      Since you can't really prove the claim it was government, how do you know the clause applies?

      This is interesting, because it basically would give insurers an out to say "hey, that was a hostile act by a foreign government, therefore your policy doesn't apply".

      In reality, your analogy has no bearing on the situation, because it's wrong.

  2. Great summary by bistromath007 · · Score: 4, Insightful

    Definitely don't need to know Zurich's position on the matter, thanks for omitting it

    1. Re:Great summary by piojo · · Score: 2

      Definitely don't need to know Zurich's position on the matter, thanks for omitting it

      From the summary: Both companies declined to comment on the case. It appears their position on the matter will be disclosed at court.

      --
      A cat can't teach a dog to bark.
  3. Client failed to keep systems patched by Mortimer82 · · Score: 4, Interesting

    NotPetya largely used EternalBlue to exploit unpatched Windows computers.

    If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
    I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.

    1. Re:Client failed to keep systems patched by Anonymous Coward · · Score: 2, Interesting

      I agree that it was their own negligence that lead to their exploitation, but unfortunately that's not the grounds on which Zurich is denying their claim. Zurich is denying the claim because they are categorizing the attack as cyberwarfare, rather than categorizing the defense as piss-poor as a paper shield in Hell.

      If they denied the claim based on negligence, that would indeed be the precedent we've all been waiting for, because it would inspire every other insurance company to say "why the hell weren't we doing that before?!" and change their policies accordingly. Once that happens, the future will look a lot brighter for everyone.

      If every insurance company were to educate themselves on proper IT security policies and procedures, they could have risk tables for every possible scenario. Weak passwords, insecure cipher suites and outdated software would lead to getting your claims denied and your premiums jacked up. Strong encryption, salted hash tables, reasonably* updated software and abstinence from Windows could score you a lower premium and a stronger guarantee of having your claim approved. On top of that, if the insurance companies have people on staff who know what the right and wrong things to do are, they could offer IT services for an extra fee, providing technicians who can consult with corporate IT staff in order to develop migration strategies for their software and workflow that meet the requirements for saving more on their insurance.

      But that's not what's happening today. Today, we're seeing the normal kind of duck-and-weave bullshit we're used to seeing from insurance companies. They've found some clever way of denying the claim, this time by capitalizing on anti-Russian hysteria. It would have been much easier to deny the claim based on negligence. I don't know why they wouldn't have gone with that route, it would be much easier to prove that their client couldn't have been hit by NotPetya if they were more careful, rather than being faced with the task of proving that a nation state actor had targeted their client during a time of war. Last I checked, Oreo cookies weren't made in Ukraine. Not the ones I've been eating, anyway.

      * Obviously, in a corporate environment, updates can't be applied as quickly as you would on a home system. They need to be tested on a closed system and carefully deployed. Just don't take over five fucking years to update openssl like countless companies have been caught doing lately.

  4. Duty of care by sjbe · · Score: 2

    If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

    Nice strawman you have there.

    That's not what happened and you know it. The question will (should?) come down to whether reasonable duty of care was exercised on the part of the plaintiff and whether the insurance contract was violated by failure of the plaintiff to take reasonably expected security measures and to implement them with reasonable competence. All modern systems have security holes so perfection is not a reasonable expectation.

  5. The 100M$ question is: Was it Cyberwar? by Confused · · Score: 5, Informative

    Many comments didn't seem to pick up why Zurich is refusing:

    Zurich asserts the attack was done by some foreign government in a hostile or warlike manner, which is excluded from coverage.
    The prime suspect in this case would be Russia.

    It's very common to exclude damages from war in insurance contracts. With foreign nations doing state sanctioned or organised hacking, this becomes very favourable for Zurich. They basically say, we cover only damage from script kiddies, not from foreign secret services waging a cyberwar against the USA.

    Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.