In October 2018, Mondelez International filed suit against Zurich American Insurance Company. At stake is a $100 million insurance claim for damage caused by NotPetya. Zurich has rejected the claim, and Mondelez — owner of the Oreo, Cadbury, Milka and Toblerone brands — is suing for breach of (cyber insurance) contract.
Mondelez (NASDAQ: MDLZ) has an insurance policy with Zurich for “all risks of physical loss or damage”, including “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction…”
In June 2017, Mondelez succumbed to NotPetya, along with many others. It “rendered permanently dysfunctional approximately 1700 of MDLZ’s servers and 24.000 of its laptops… MOLZ incurred property damage, commercial supply and distribution disruptions. unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000.”
NotPetya was a destructive malware introduced to the servers of Ukraine accounting software firm M.E.Doc. It was a supply chain attack that infected organizations using M.E.Doc software and then spread via the NSA-linked EternalBlue exploit. Since it also impacted multinational companies trading in Ukraine, it spread further into the wider world — including to Mondelez.
In March 2018, Zurich was classifying NotPetya as ransomware, and was even using it as a reason for taking out cyber insurance. But on June 1, 2018 it wrote to Mondelez saying it was denying the claim. The reason was the fairly standard ‘act of war’ exclusion in many insurance policies.
Specifically, the Zurich policy excludes “loss or damage” caused by a “hostile or warlike action in time of peace or war” by any “(i) government or sovereign power…; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”
It seems that between March and June 2018, Zurich changed its classification of NotPetya from a criminal act to an act of war. This is the centerpiece of the legislation, and revolves around two questions that are hotly debated in cybersecurity: how can you definitively attribute the source of a malware attack; and when does a cyber incident become an act of war.
Belief is irrelevant. Most people accept that NotPetya was sourced by Russian state-affiliated actors, and that it was an act of war against Ukraine that spilled out into the wider world. Proving that to the satisfaction of a court of law is a different matter.
Russia has denied any involvement. But first the UK government, and then the remaining Five Eyes nations of the U.S, Canada, Australia and New Zealand, have all blamed Russia. The U.S. statement, dated February 15, 2018, says, “In June 2017, the Russian military launched the most destructive and costly cyber-attack in history… It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”
On the surface, this statement supports Zurich’s exclusion of the Mondelez claim. But there are two weaknesses: firstly, intelligence agencies rarely provide proof of their assertions, and haven’t done so here. It raises the arguable possibility that this is a political statement rather than a proven fact. It does happen. Reports on Saddam Hussein’s nuclear intentions and other weapons of mass destruction are an example.
Secondly, failures in accurate attribution are not uncommon. Within the last week, ransomware (Ryuk) that had previously been linked with North Korea is now being linked with a “Russian-speaking actor”.
Perhaps the safer approach to government assertions of responsibility is to wait for actual indictments. Where this happens, the government is likely to be confident in the proof it has and is willing to make those assertions in open court, if the perpetrators are ever arrested.
Against this background to the Mondelez/Zurich case is the wider issue of the value of cyber insurance. If Zurich wins the case, will it mean that any malware attack that is ascribed to state actors can be excluded as an act of war? Whether accurately or not, a growing number of major cyber-attacks are being attributed to state-affiliated actors from countries such as Russia, China, Iran and North Korea. Where this is proven — or at least accepted by the courts — the Zurich exclusion clause would be validated.
It is fundamentally a question of attribution — a problem that has not been solved. It may, however, provide a home for the independent, international panel of experts proposed by Microsoft in its ‘Norms‘ paper. Insurance companies would be more likely to accept an independent ruling than governments.