Let’s face it: The best way to protect your organization when it comes to cybersecurity is to make sure you have the right technologies in place to prevent attacks from getting into your infrastructure. While some companies might think that their cyber insurance is their ace up their sleeve, recent news regarding a NotPetya-related insurance claim being rejected might prompt them to rethink that notion.
Cyber insurance firm Zurich is refusing to pay snack company Mondelez for damage resulting from the NotPetya cyberattack in 2017. The reason cited by Zurich is that the cyberattack was considered an act of war.
According to Bloomberg opinion columnist Leonid Bershidsky, “Mondelez claimed $100 million on its insurance policy because it believed the permanent damage to 1,700 of its servers and 24,000 laptops, inflicted by NotPetya, plus the theft of thousands of user credentials, unfulfilled customer orders and other losses fell under the provision of its insurance policy that covered ‘physical loss or damage to electronic data, programs, or software’ caused by ‘the malicious introduction of a machine code or instruction.’”
TechBizWeb reports that Zurich was classifying NotPetya as a ransomware and holding it up as an example for businesses to purchase cyber insurance in March 2018. But a few months later, in June, Zurich officially denied Mondelez’ claim, pointing to a common ‘act of war’ exclusion found in many policies.
So what happened between March and June? The UK, US, Canada, and Australia started publicly blaming Russia for the cyberattack. As Bloomberg and others point out, countries have taken to calling out countries believed to be involved in the hopes of sending a signal along the lines of “We know what you’ve done.”
But such accusations and proclamations typically don’t come with proof. Bershidsky writes, “The lawsuit raises the question of whether the claims from official sources should be admissible as evidence, even when they lack substantiation.”
It’s a curious case. Especially when you consider some of the cyberattacks we’ve seen in the past year in which nation-backed hackers attempted to steal intellectual property or infiltrate critical infrastructure through supply chain vendors. In today’s world, an act of war can come in a variety of subtle forms.
If businesses are going to be caught in the middle of nation-state cyberattacks, it might be wise to revisit how to protect them and help keep them solvent. That could mean refraining from publicly and officially blaming governments for cyberattacks. Or, maybe it means insurance companies need to change how they write insurance policies.
It’ll be interesting to see what kind of impact this case has on the number of companies taking out cyber insurance policies.
Get the full story at Bloomberg.