back to article Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'

US snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya ransomware infection was rejected – for being "an act of war" and therefore not covered under its policy. Zurich American Insurance Company has refused to pay out on a Mondelez policy that explicitly stated …

  1. gerdesj Silver badge
    Windows

    War? Nope

    Bad move. Mondelez is probably going to have to prove that the US is actually at war with whomever delivered NotPetya (NP). NP might well have been developed for the Russian state or not (who cares - its still nasty) but that does not constitute war.

    The US and Russia are not at war: there is no merit in trying to claim otherwise. It might be considered inflammatory and perhaps reckless to imply a state of war might exist.

    1. Anonymous Coward
      Anonymous Coward

      Re: War? Nope

      I hope you read your own contracts more carefully than that, because an exclusion for "hostile or warlike action in time of peace or war" by a "government or sovereign power" doesn't require an actual state of war to exist. And BTW, Mondelez is the customer, not the weasly insurance company.

      Having said that, I still don't think Zurich has much hope of avoiding paying out. More likely the aim is doing a quick out of court deal to lower the quantum.

    2. Tomato Krill

      Re: War? Nope

      I think if you read a bit more slowly it's the insurer trying to argue it's an act of war.

      Plus your own quote contains 'at peace' so they need not be at war for the clause to be valid - excepting the other reasons it's not of course.

    3. BazNav

      Re: War? Nope

      They don't have to prove that Russia is at war with the USA, they need to prove that Russia is at war with Ukraine and that the damage caused by NP was collateral damage in that conflict which will probably be much easier to argue.

      Opens up interesting legal arguments; collateral damage used to be easy to work out - 'was your chocolate factory close to where the bad guys were dropping bombs?' In a cyber war it could become - 'was your network connected to the same internet as everybody else's networks?'

    4. Anonymous Coward
      Anonymous Coward

      Re: War? Nope

      We are not at war with Russia. We have always not been at war with Russia.

      Nothing to see here, Comrade, move along

  2. Big Al 23

    They'll pay

    They just want to see what they can get away with.

  3. Maelstorm Bronze badge

    Oh yeah

    An act of war? Really? So far all we know it was Russian hackers. They were probably state sponsored, but the insurance company is going to have to prove that in court. I agree with Big AI 23, they are trying to see what they can get away with. That and they probably want to hold out on the payment for as long as possible to get all the interest they can from the banks.

    1. eldakka Silver badge

      Re: Oh yeah

      but the insurance company is going to have to prove that in court.

      IANAL, however in civil court you don't have to 'prove' something to the same standard as criminal courts - beyond a reasonable doubt. All they would have to show is "on the balance of probabilities" or "more likely than not". So if it is commonly thought by experts that it was likely Russia, then that standard has been met.

      Also, again they wouldn't have to prove anything, they'd just need enough to persuade a judge (if bench trial) or jurors (if jury trial). It's not like it's a scientific discovery that requires 5-sigma to be considered proven. Just enough people to believe it.

      1. Doctor Syntax Silver badge

        Re: Oh yeah

        IANAL, however in civil court you don't have to 'prove' something to the same standard as criminal courts .... All they would have to show is "on the balance of probabilities"

        There's also scope for lots of legal argument about what constitutes an act of war in terms of what befalls an innocent bystander.

    2. Tomato Krill

      Re: Oh yeah

      With you up until the interest bit - you think they get paid interest?!? They *are* the bank - and that all ignores the reality they'll have a 100m set aside for this until the case is concluded in any case

      1. MiguelC Silver badge

        Re: Oh yeah

        and interest rates (for inter bank loans) are currently negative....

      2. Blazde

        Re: Oh yeah

        All insurance companies have money set aside for future payouts, it's known as the float and investing it - typically in bonds which pay interest - is a key part of a running an insurance outfit. Having said that I'd be surprised if an eventual payment to Mondelez doesn't include some interest-like compensation for lateness so it's unlikely they're motivated by hanging on to it longer except as a means to reduce the principal amount.

  4. Andrew Commons

    An opposing point of view

    Interestingly there is an opinion from Marsh LLC, part of Marsh and McLennan who are in the same business as Zurich and about the same size as Zurich, that is was NOT Cyber War.

    [PDF]https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/NotPetya-Was-Not-Cyber-War-08-2018.pdf

    I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.

    1. Michael Wojcik Silver badge

      Re: An opposing point of view

      I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.

      That would set a precedent with a strong chilling effect on the market.

      When you insure for fire damage (in a stable, industrialized country), there are well-documented protocols to follow for the insured: building codes, fire codes, inspections, etc. It's pretty easy for the insured to be in compliance and demonstrate that.

      With IT-security insurance, there are few or no regulations, depending on the business. There are no standard independent inspections, and no agreement on what you'd inspect for. Potential insurance customers know they'd have a hard time showing they weren't negligent. So if insurers look like they're going to weasel out of paying claims, the market will discount the value of IT-security insurance to the point where it's no longer a viable product.

      The IT-insurance market is enough of a mess already. Policies are ill-defined, claims may be hard to prove (fires leave a lot of evidence; rootkits not so much), data for actuarial analysis is thin, the market is immature (so risk pools are small and reinsurance harder to come by), and it's largely untested in court. Apparently Zurich America have decided to risk the last, but as others have noted, there's an excellent chance this will settle out of court.

      1. Andrew Commons

        Re: An opposing point of view

        That would be interesting. I suppose you could also extend negligence to include using software that you knew was faulty regardless of how much you patched it. Proving you weren't negligent does indeed become a challenge.

        1. John H Woods Silver badge

          Re: An opposing point of view

          "software that you knew was faulty regardless of how much you patched it"

          Surely that includes any reasonably complex software, especially operating systems?

      2. Dimmer

        Re: An opposing point of view

        In my past life I worked for a bank. We did have insurance IT audits.

  5. David 132 Silver badge

    Eh, it’s Mondelez.

    They bought Cadbury’s, then immediately moved jobs offshore and changed the distinctive chocolate recipe (note to any Swiss/Belgian/French chocolate snobs reading this: there are worse formulations than Cadbury’s, believe it or not). They deserve everything they get.

    1. MyffyW Silver badge

      Re: Eh, it’s Mondelez.

      "there are worse formulations than Cadbury’s, believe it or not"

      Harsh. Are there really any better formulations of milk chocolate than Cadburys?

      1. Keith Oborn

        Re: Eh, it’s Mondelez.

        Look at https://www.hotelchocolat.com/uk/shop/collections/chocolate/milk/

        Vastly better: it's actually chocolate. I'd never call Cadbury's that (even before Mondelez made it worse)

        1. Stretchoman

          Re: Eh, it’s Mondelez.

          Sure Cadbury's is much lower quality than Hotel Chocolat, quite significantly most would say. The main difference is most people are very fond of Cadbury's and don't fancy (or can afford) spending roughly 5 times the price for a product that at the end of the day is only giving you a short sense of pleasure.

      2. David 132 Silver badge

        Re: Eh, it’s Mondelez.

        @MyffyW oh, I agree with you. I personally like Cadbury’s - or did, prior to Mondelez’ dicking around with the recipe.

        I was trying to be even-handed...had I sung its praises without qualification, I foresaw that I’d set off a chorus of “but Cadbury’s is dog chocolate, you should try $expensive_belgian_brand instead”.

        1. Michael Wojcik Silver badge

          Re: Eh, it’s Mondelez.

          Shrug. I like cheap milk chocolate (though I avoid Nestle, as they are Satan's own foodmonger), and I don't really care whether anyone else knows, or does. I don't care if someone else eats Wonder Bread; why should they care what sort of chocolate I eat?

          1. Anonymous Coward
            Anonymous Coward

            Re: Eh, it’s Mondelez.

            "I don't care if someone else eats Wonder Bread"

            You heartless bastard. Think of the children! :)

        2. Anonymous Coward
          Anonymous Coward

          Re: Eh, it’s Mondelez.

          Even Cadbury’s is toxic to dogs

      3. cynic56

        Re: Eh, it’s Mondelez.

        MyffyW, have you actually tasted Cadbury's chocolate in the past few years? I agree that 20 years ago it was the best milk chocolate but consider it to be barely edible now, wouldn't even want it as a gift.

        I used to work at Cadbury's in Bournville in the 70s and 80s. Happy days. Loved the smell of chocolate which fillewd the air for miles around.

  6. DrM

    You picked our "never pay policy."

    https://youtu.be/kO2R_DDZPCM?t=110

  7. SMITCH79

    Insurance Companies

    Early in my career I worked for a large UK insurance company as a phone jockey and then a back office technical advisor (don't hate me I left the profession 15 years ago due to seismic shifts in the way it operated). More reject on spec and squeeze claims down to the bare minimum,

    e.g. Claiming the claimant didn't have a sufficient sum insured and then paying a pro rata fraction of the amount the claim was worth. They facilitated this by getting the Loss Adjusters to inflate the cost of the claimants possessions and rebuild costs.

    Since i was primarily dealing with large fire/water damage claims I found this repugnant since I was the appointed contact at the insurer for this type of stuff. Initially it was fine since I had the delegated authority to override the LA but this was reduced at my yearly audit the year before I left. When they started asking me to upsell on live claims I decided that was it, I wasn't helping people anymore.

    The "act of war" definition applied to this claim rejection will be difficult to substantiate in court and any good lawyer should be able to knock it out to the point of gaining at least 50% - 80% of the settlement. The insurance company is banking on this, tell them "no", put the ball back in their court and see what they do. This is classic on large claims.

    E.g. A recently published story in the UK about a homeowner who lost his £400,000 home to fire. The LA came out and rejected his claim on the basis he had declared at application he only had 5 bedooms. The LA decided he had 7 despite the fact the two extra rooms were too small to be considered bedrooms under local government guidelines. He went to the Ombudsman and lost (since the Ombudsman is essentially operated by the financial service companies). In court he would have no problem getting that overturned but its easier for the insurers just to say no and get the Ombudsman to back them on the more expensive stuff. This would have been considered a large claim so the insurance company would be looking for outs from the get go.

    I know that home insurance and £100 million malicious IT damage claims seem worlds apart but the principle is the same. Always.

    1. Anonymous Coward
      Anonymous Coward

      Re: Insurance Companies

      "Early in my career I worked for a large UK insurance company ... More reject on spec and squeeze claims down to the bare minimum,"

      The insurance industry definitely does not have a good reputation, but I think it's more of a "varies by company" thing. Members of my family have worked at insurance companies more recently than you, and it was very much a different story there (they were also somewhat "scared" of the FOS, as they were upholding a lot of cases at that time).

      "A recently published story in the UK about a homeowner who lost his £400,000 home to fire. The LA came out and rejected his claim on the basis he had declared at application he only had 5 bedooms. The LA decided he had 7 despite the fact the two extra rooms were too small to be considered bedrooms under local government guidelines."

      Yeah, at first glance, that one didn't make too much sense to me either, although it's somewhat hard to know without all the details (e.g. there is a legally-defined minimum size for bedrooms).

      Link to the story for those interested: https://www.thisismoney.co.uk/money/article-5550933/Our-house-burnt-insurer-refused-pay-said-7-bedrooms-not-five.html

      "He went to the Ombudsman and lost (since the Ombudsman is essentially operated by the financial service companies)."

      It's somewhat of a stretch to say that the FOS is "operated by the financial service companies" - it's funded by a levy/tax on them. It's previous head was very pro-consumer, which upset the industry, and was ultimately removed by George Osbourne and replaced by someone who was more pro-company - since then, there's been an increase in "interesting" decisions. Certainly the one time I had to use them (about 8 years ago, so prior to the change in leadership), they were very good.

      1. SMITCH79

        Re: Insurance Companies

        I did say "essentially". Maybe by proxy would have been more appropriate.

        Financial Service companies have serious lobbying influence on government (and therefore the FCA) and this was really what I was getting at.

        Currently the FCA is understaffed with people with inadequate training and experience for the type of claims they are rendering decisions on (Channel4). Why is that?

        I like to think when they are unsure of whether to side with claimant or not and seek counsel from the higher ups the response will be "Who's your Daddy?" since, as you point out, they are funded by levy.

        A "stretch", I don't think so.

  8. Will Godfrey Silver badge
    Mushroom

    Grave Robbers

    That's my opinion of insurance companies these days.

    In over 60 years our family has made 2 claims on home insurance. In the first case, the loss adjuster actually increased the value dad had estimated, whereas for me they reduced the amount so much that the excess was more than the value of the actual loss.

  9. Anonymous Coward
    Anonymous Coward

    The IP address (and it's physical location) of where the hacker connected from...

    .. is no indication of who is controlling that PC.

    First thing hackers do is break into a remote PC and launch the hack from there.

  10. Ian Emery Silver badge

    It goes all the way down to basic travel insurance, where certain airlines issue fake lost luggage claim numbers in the hope you wont make copies of the paperwork before they demand it back in exchange for your recovered luggage.

  11. deive

    I suppose this could be a good thing overall, if companies feel they can't just pay some insurance company to take the fall then they may start taking their security responsibilities seriously.

  12. Anonymous Coward
    Anonymous Coward

    Irony ?

    I bet Mondelez opted for the cheapest insurance policy they could find and signed it without spending anywhere as much on lawyers to review the contract as they did on lawyers to draw up the contracts for their own customers ???????

    I'm struggling to feel too much sympathy for them, truth be told. They were hardly a vulnerable customer.

    Also, if their business nous is so bad that they bought a shit insurance policy, I'd be looking at my investments in them in a new light. Same way I would if a major UK business announced it had to write off a few million because their Nigerian Royalty project failed ....

    1. c1ue

      Re: Irony ?

      Pretty bold claim - just how cheap do you think a $100M policy is?

    2. DavCrav Silver badge

      Re: Irony ?

      "I'm struggling to feel too much sympathy for them, truth be told. They were hardly a vulnerable customer."

      Do you only feel sorry for vulnerable people, when a company behaves like a total dick towards someone? So I'm not a vulnerable person, but I feel people should feel some sympathy if a company burned my house down and told me to fuck off.

      "Also, if their business nous is so bad that they bought a shit insurance policy"

      It isn't a shit insurance policy, the insurance company are -- what is the word? Ah, yes -- lying.

  13. Anonymous Coward
    Anonymous Coward

    "an act of war"

    more like an act of God. All you need is to demonstrate that the hack was based on religious beliefs, voice from above telling them, I dunno, wage war against the infidels?! ;)

  14. c1ue

    My view is this is more an attempt at setting a precedent than "getting" Mondelez.

    The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.

    The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...

  15. sanmigueelbeer Silver badge
    Pint

    It's nothing "personal". It's just all about the money.

    Insurance company make (more) money by NOT paying claims.

    Zurich has probably done the maths. To pay the claims is $100 mil. To go to court is between $5 mil and $10 mil. If Zurich lose, there's always an appeal and then drag this for another, say, 10 or so years. During that time Zurich will "reach out" and offer an out-of-court settlement for $25 mil. Still a win-win for Zurich.

  16. Christian Berger Silver badge

    One would think that insurance companies would try to lower the risk

    After all with $100Million you can easily design your own computing platform including operating system and hardware. That would, at worst, be a bit more secure because it would be simpler and would obscure the rest of the bugs as it's more obscure. At best this would be a fundamentally new step towards more secure systems.

    Of course selling insurance and not paying is a much easier way to make money.

  17. MonsieurTM

    Given that it was the UK govt that claimed it was an act of wat, with very little intelligence to back it up. One might assume Zurich have consulted their extensive legal panel. Does this imply that relatively unfounded govt statements can now carry considerable legal weight? If found for the claimant, then that would put the UK govt"s claim of an act off war on very shaky legal basis...

    1. DavCrav Silver badge

      "If found for the claimant, then that would put the UK govt"s claim of an act off war on very shaky legal basis..."

      Why? A US court doesn't get to pass judgment on press releases of the UK Government.

  18. CyberRiskDude

    Claim is under a property policy not a cyber insurance policy

    The policy that Mondelez is claiming against is a property policy not a cyber policy. So your heading is actually misleading. Property insurance markets usually only provide very limited cyber cover and likely Mondelez would know that if they have a good broker. If they purchased a cyber policy they would not have the restrictive language in the policy. What we have here is a company making a claim against a policy that was really not intended to broadly cover this type of loss in the hope that they can leverage their loss into an insurance policy not really intended to cover this type of claim.

  19. Numo Quest

    Automation (digital/mechanical), 100% Predictable

    It isn't Zurich at stake in this instance legally. It are the IT professionals involved.

    Cyber crime, hacks, attacks, are a fact of every days life. That shouldn't be any surprise. What will come as a surprise to those IT professionals involved, perhaps they may be a crack in their field or discipline, I won't challenge that, but sure they haven't got any idea of automation? Here is the key for Zurich. Automation is what is key, not the manning, method, machine, called IT, which is the problem. If you don't have any idea of the 100% predictability of automation, yet are telling/yelling/hyping/selling that, every day, you must be up for the job.

    Everybody assumes that it is an act of war, or debating that. Legally it is the inhibition of professionals not up for the job to understand the 100% predictability of digital automation. Ransomware is simple fact of today's world we live in. The IT professionals involved are to be aware of that and to think and implement ways, means and methods to reduce these risks. Can they prevent it entirely? Perhaps not. But the fact the, to prevented, instance here is so wide spread, it only is fair to address and challenge the level of the IT professionals involved.

    For IT professionals reading this, regardless your discipline, field of expertise, your role in the IT chain, it is Digital Automation you are performing, your discipline, the means, equeipment, your discipline, called IT, is the way you automate. Legally you have a responsibility in every step of the way. If you don't understand the essentials and principles of automation, you legally have a challenge. You can be addressed legally if things go wrong.

    All Zurich has to do is to advise Mondelez to turn to the involved IT professionals or IT service supplier(s).

    1. Anonymous Coward
      Anonymous Coward

      Re: Automation (digital/mechanical), 100% Predictable

      AManFromMars1 is that you?

      1. John H Woods Silver badge

        Re: Automation (digital/mechanical), 100% Predictable

        No, it doesn't make enough sense

  20. Anonymous Coward
    Anonymous Coward

    Based on some of the other victims

    I’m surprised Zurich didn’t query whether industry standard practices were followed. Like patching or providing controls around admin accounts - Maersk and WPP certainly had differing experiences between the parts of the business that were outsourced and the parts managed by in-house IT. And the scale of the damages was certainly related to IBMs inability to react to the needs of the business.

    Or did Mondelez outsource IT to IBM and Mondelez lawyers are much less scary than IBMs?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019