Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100 million claim for damage caused by the NotPetya cyberattack.
NotPetya affected companies worldwide with a massive ransomware attack in 2017 that permanently damaged 1,700 Mondelez servers and 24,000 laptops.
As ZDNet points out,
Mondelez’s cyberinsurance policy covered “physical loss or damage to electronic data, programs, or software” with “the malicious introduction of a machine code or instruction”.
In February 2018, however, the UK government officially blamed Russia for the NotPetya campaign, followed by the U.S., Canada and Australia.
Now, Zurich’s refusal to pay, relying on an exclusion in the policy for
hostile or warlike action in time of peace or war […] by a government or sovereign power or people acting for them”,
prompts a question of how “war exclusion” factors into the current evolution of cyberattacks. This event potentially creates a new instability point in the cybersecurity area: cyberattacks may be considered war attacks and therefore not mitigated by cyberinsurance anymore.

Apart from the direct consequences to the victim NotPetya, the Zurich decision opens two main questions that European cybersecurity stakeholders should tackle before the issue becomes a serious problem for the whole cybercommunity:

  1. How far and under which conditions a cyberattack can be considered a war act?
  2. Which authority can judge, as independent authority, if a cyberattack can be considered a war act?

Let us know your opinion on this development in the cyberinsurance landscape by joining our next workshop on “Insurance in Cyber-security”, to be held in March in Milan (Italy): keep following us to know more.

 

This article has been written by project member ZenaByte. ZenaByte is a spin-off of the DIBRIS Department of the University of Genoa whose main object is the development of innovative methodologies for intelligent management, interpretation and extraction of knowledge from data.