Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.
The snack giant originally brought the suit against Zurich American Insurance back in 2018, after NotPetya had completed its global cyber-ransacking of major multinational corporations, and the case has since been tied up in court. Terms of the deal have not been disclosed, but a “settlement” would indicate a compromise resolution — illustrating just how thorny an issue cyber-insurance exclusion clauses can be.
NotPetya: Act of War?
The lawsuit hinged on the contract terms in the cyber insurance policy — specifically, an exclusion carve-out for damages caused by acts of war.
NotPetya, which the US government in 2018 dubbed the “most destructive and costliest cyberattack in history,” started out as compromising Ukrainian targets before spreading globally, ultimately impacting companies in 65 countries and costing billions in damage. It spread rapidly thanks to the use of the EternalBlue worming exploit in the attack chain, which is a leaked NSA weapon that allows malware to self-propagate from system to system using Microsoft SMB file shares. Notable victims of the attack included FedEx, shipping behemoth Maersk, and pharmaceutical giant Merck, among many others.
In the case of Mondelez, the malware locked up 1,700 of its servers and a staggering 24,000 laptops, leaving the corporation incapacitated and reeling from more than $100 million in damages, downtime, lost profits, and remediation costs.
As if that weren’t tough enough to swallow, the food kahuna soon found itself choking on the response from Zurich American when it filed a cyber insurance claim: The underwriter had no intention of covering the costs, citing the aforementioned exclusion clause that included the language “hostile or warlike action in time of peace or war” by a “government or sovereign power.”
Thanks to world governments’ attribution of NotPetya to the Russian state, and the original mission of the attack to strike a known kinetic adversary of Moscow, Zurich American had a case — despite the fact that the Mondelez attack was certainly unintended collateral damage.
However, Mondelez argued that Zurich American’s contract left some disputed crumbs on the table, as it were, given the lack of clarity in what could and could not be covered in an attack. Specifically, the insurance policy clearly stated that it would cover “all risks of physical loss or damage” — emphasis on “all” — “to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” It’s a situation that NotPetya perfectly embodies.
Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that the lack of clear cyber insurance policy-wording left the door open for Mondelez’ appeal — and should act as a cautionary message to others negotiating coverage.
“The scope of coverage, and the application of war exclusions, remains one of the most challenging areas for insurers as cyber threats continue to evolve, businesses increase their dependencies on digital operations, and geopolitical tensions continue to have widespread impact,” she tells Dark Reading. “It is paramount for insurers to be familiar with the terms of their policy and seek clarification where needed, but also opt for modern cyber-policies that can evolve and adapt at the pace their risk and exposures do.”
There’s one glaring issue in making war exclusions stick for cyber insurance: he difficulty in proving that attacks are indeed “acts of war” — a burden that generally requires determining on whose behalf they’re carried out.
In the best of cases, attribution is more of an art than a science, with a shifting set of criteria underpinning any confident finger-pointing. Rationales for advanced persistent threat (APT) attribution often rely on far more than quantifiable technology artifacts, or overlaps in infrastructure and tooling with known threats.
Squishier criteria can include aspects such as victimology (i.e., are the targets consistent with state interests and policy goals?; the subject matter of social-engineering lures; coding language; level of sophistication (does the attacker need to be well-resourced? Did they use an expensive zero day?); and motive (is the attack bent on espionage, destruction, or financial gain?). There’s also the issue of false-flag operations, where one adversary manipulates these levers to frame a rival or adversary.
“What is shocking to me is the idea of verifying that these attacks can be reasonably attributed to a state — how?” says Philippe Humeau, CEO and co-founder of CrowdSec. “It is well known that you can hardly track a decently skilled cybercriminal’s base of operations, since air-gapping their operations is the first line of their playbook. Two, governments are not willing to actually admit they do provide cover for the cybercriminals in their countries. Three, cybercriminals in many parts of the world are usually some mix of corsairs and mercenaries, faithful to whatever entity/nation-state may be funding them, but totally expandable and deniable if there are ever questions about their affiliation.”
That’s why, absent a government taking responsibility for an attack a la terrorism groups, most threat-intelligence firms will caveat state-sponsored attribution with phrases like, “we determine with low/moderate/high confidence that XYZ is behind the attack,” and, to boot, different firms may determine different sources for any given attack. If it’s that difficult for professional cyber-threat-hunters to pin down the culprits, imagine how difficult it is for cyber-insurance adjusters operating with a fraction of the skills.
If the standard for proof of an act of war is wide governmental consensus, this also poses issues, Humeau says.
“Accurately attributing attacks to nation-states would require cross-country legal cooperation, which has historically proven to be both difficult and slow,” says Humeau. “So the idea of attributing these attacks to nation-states who will never ‘fess up to it leaves too much room for doubt, legally speaking.”
An Existential Threat to Cyber Insurance?
To Thompson’s point, one of the realities in today’s environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and advisory council member at data security company Theon Technology, notes that if more and more insurers simply deny all claims stemming from such activity, there could be very few payouts indeed. And, ultimately, companies may not see cyber-insurance premiums as worth it anymore.
“If a significant number of judges actually begin allowing carriers to exclude coverage for cyberattacks just upon a claim that a nation-state was involved, this will be as devastating to the cyber insurance ecosystem as 9/11 was (temporarily) to commercial real estate,” he says. “As a result, I do not think many judges will buy this, and proof, in any event, will almost always be difficult.”
In a different vein, Ilia Kolochenko, chief architect and CEO of ImmuniWeb, notes that the cybercriminals will find a way to use the exclusions to their advantage — undercutting the value of having a policy even further.
“The problem stems from a possible impersonation of well-known cyber-threat actors,” he says. “For instance, if cybercriminals — unrelated to any state — wish to amplify the damage caused to their victims by excluding the eventual insurance coverage, they may simply try to impersonate a famous state-backed hacking group during their intrusion. This will undermine trust in the cyber-insurance market, as any insurance may become futile in the most serious cases that actually require the coverage and justify the premiums paid.”
The Question of Exclusions Remains Unsettled
Even though the Mondelez-Zurich American settlement would seem to indicate that the insurer succeeded in at least partially making its point (or perhaps neither side had the stomach for incurring further legal costs), there is conflicting legal precedent.
Another NotPetya case between Merck and ACE American Insurance over the same issue was put to bed in January, when the Superior Court of New Jersey ruled that act of war exclusions only extend to real-world physical warfare, resulting in the underwriter paying up a heaping $1.4 billion serving of claims settlement.
Despite the unsettled nature of the area, some cyber-insurers are going forward with war exclusions, most notably Lloyd’s of London. In August the market stalwart told its syndicates that they will be required to exclude coverage for state-backed cyberattacks beginning in April 2023. The idea, the memo noted, is to protect insurance companies and their underwriters from catastrophic loss.
Even so, success for such policies remains to be seen.
“Lloyd’s, and other carriers, are working on making such exclusions stronger and absolute, but I think this, too, ultimately will fail because the cyber-insurance industry likely could not survive such changes for long,” Theon’s Cunningham says.