Slashdot Mirror
Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance (ft.com)
Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.
[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.
[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.
If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Definitely don't need to know Zurich's position on the matter, thanks for omitting it
NotPetya largely used EternalBlue to exploit unpatched Windows computers.
If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.
Many comments didn't seem to pick up why Zurich is refusing:
Zurich asserts the attack was done by some foreign government in a hostile or warlike manner, which is excluded from coverage.
The prime suspect in this case would be Russia.
It's very common to exclude damages from war in insurance contracts. With foreign nations doing state sanctioned or organised hacking, this becomes very favourable for Zurich. They basically say, we cover only damage from script kiddies, not from foreign secret services waging a cyberwar against the USA.
Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.