US food giant Mondelēz is suing its insurance firm for refusing to pay damages after the NotPetya cyberattack.
Mondelēz, owner of the Oreo and Cadbury brands, is suing its insurance firm Zurich for refusing to pay out on a $100m claim for damages caused by the devastating NotPetya attack. According to court papers viewed by the Financial Times, 24,000 laptops and 4,000 servers were rendered “permanently dysfunctional” following the attack.
What was NotPetya?
For those whose memories need jogging, the NotPetya attack was an extensive wiper ransomware campaign, which was also referred to by several other names, including GoldenEye, ExPetr and Petya. Major organisations around the world were affected, from the Maersk shipping company to a Kiev airport. Almost a year ago, UK authorities placed the blame on Russian actors. The entire goal of NotPetya was to inflict as much damage as possible on affected networks.
When it was affected by NotPetya, Mondelēz originally made claims for the cost of damages on its Zurich property insurance policy. The policy suggested the company was covered for physical loss or damage to electronic data, software and physical damage caused by the malicious code. Staff and factories were affected, naturally resulting in a dent in the firm’s profit margins.
The insurance company initially agreed to stump up a $10m interim payment, but later walked this back. It cited an exclusion that a “hostile or warlike action” by a nation-state or people acting on behalf of said nation meant it did not have to pay out.
A pivotal case
This case is particularly notable when you look at attribution and it is likely to give cybersecurity firms pause for thought when it comes to their own policies. As governments blamed the NotPetya attack on the Russian military, the link to the country has had an effect on the suit.
Legal firm Marsh & McLennan said that as NotPetya hit non-military targets who operated outside of any form of warfare, the damage was purely economic as opposed to resulting in loss of life or injury. Senior vice-president at the firm, Matthew McCabe, told ZDNet: “As cyberattacks continue to grow in severity, insurers and insurance buyers will revisit the issue of whether the war exclusion should apply to a cyber incident.”
The attribution of NotPetya to Russia could see this play out in future, as other insurers may use the same legal argument in other cases relating to cybersecurity claims. It remains to be seen whether these changes materialise as cyber-specific policies purchased by firms, or a tightening of terms and conditions for their general coverage, such as company property insurance.