The company argues that its insurance does not cover damage caused “by Acts of war”
According to network security and ethical
hacking specialists from the International Institute of Cyber Security, the
American company Mondelez, dedicated
to food, beverages and snacks, has decided to sue its insurance company by an
estimated figure of $100M USD. According to the reports, the company claims
that its insurer has refused to cover the damage caused by an infection of NotPetya
ransomware, arguing that this infection is part of a “cyber war campaign”,
scenario that is not covered by the insurance policy.
Zurich American
Insurance Company
has refused to pay a policy which explicitly mentions that its insurance “covers
all risks of loss or physical, data, programs or any software damages, including
damage caused in the event of malicious software injection in the Mondelez
infrastructure.”
This claim originated during the outbreak of
the ransomware NotPetya in 2017. According to experts in network security, it is a Windows-based malware capable of encrypting the file system
table of a hard drive, preventing the system from starting. The company claims
that due to this attack it lost 1 700 servers and 24 000 portable computer
equipment.
The United Kingdom government, supported by
evidence gathered by multiple network security experts, said the Russian
government was behind the NotPetya attack, which also affected Ukraine’s energy
infrastructure, but the Russian authorities have repeatedly denied such
accusations.
Multiple private companies were also affected
by NotPetya. Maersk shipping company, for example, claims to have lost about $300M
USD due to these attacks; On the other hand, FedEx reported losses for a
similar amount. It is estimated that insurance companies should spend about $80
billion USD to cover their policies.
After analyzing the Mondelez sue; Zurich
insurance company began investigating the case with the intention of reducing
the economic claims of the American company. Although Zurich offered Mondelez
an initial payment of $10M USD, the insurer has denied what is claimed in the
lawsuit, alleging that there is a “hostile or warlike action” or “government
intervention” exclusion clause.
According to reports of experts in network
security, the insurer argues that the attack was provoked by the Russian
government as an act of war, a scenario that does not cover the Mondelez’s
insurance policy.
This is an unprecedented case, although Mondelez
argues that the insurer must demonstrate that, indeed, the Russian government
is behind these attacks, which is a difficult task.
It is believed that, if the case was won, the
Zurich insurer would establish a precedent in which this class of companies began
to revise their policies, generating a new offer in protection against cyber
threats.
