Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war' US snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya ransomware infection was rejected – for being "an act of war" and therefore not covered under its policy. Zurich American Insurance Company has refused to pay out on a Mondelez policy that explicitly stated …
Bad move. Mondelez is probably going to have to prove that the US is actually at war with whomever delivered NotPetya (NP). NP might well have been developed for the Russian state or not (who cares - its still nasty) but that does not constitute war.
The US and Russia are not at war: there is no merit in trying to claim otherwise. It might be considered inflammatory and perhaps reckless to imply a state of war might exist.
I hope you read your own contracts more carefully than that, because an exclusion for "hostile or warlike action in time of peace or war" by a "government or sovereign power" doesn't require an actual state of war to exist. And BTW, Mondelez is the customer, not the weasly insurance company.
Having said that, I still don't think Zurich has much hope of avoiding paying out. More likely the aim is doing a quick out of court deal to lower the quantum.
They don't have to prove that Russia is at war with the USA, they need to prove that Russia is at war with Ukraine and that the damage caused by NP was collateral damage in that conflict which will probably be much easier to argue.
Opens up interesting legal arguments; collateral damage used to be easy to work out - 'was your chocolate factory close to where the bad guys were dropping bombs?' In a cyber war it could become - 'was your network connected to the same internet as everybody else's networks?'
An act of war? Really? So far all we know it was Russian hackers. They were probably state sponsored, but the insurance company is going to have to prove that in court. I agree with Big AI 23, they are trying to see what they can get away with. That and they probably want to hold out on the payment for as long as possible to get all the interest they can from the banks.
but the insurance company is going to have to prove that in court.
IANAL, however in civil court you don't have to 'prove' something to the same standard as criminal courts - beyond a reasonable doubt. All they would have to show is "on the balance of probabilities" or "more likely than not". So if it is commonly thought by experts that it was likely Russia, then that standard has been met.
Also, again they wouldn't have to prove anything, they'd just need enough to persuade a judge (if bench trial) or jurors (if jury trial). It's not like it's a scientific discovery that requires 5-sigma to be considered proven. Just enough people to believe it.
IANAL, however in civil court you don't have to 'prove' something to the same standard as criminal courts .... All they would have to show is "on the balance of probabilities"
There's also scope for lots of legal argument about what constitutes an act of war in terms of what befalls an innocent bystander.
All insurance companies have money set aside for future payouts, it's known as the float and investing it - typically in bonds which pay interest - is a key part of a running an insurance outfit. Having said that I'd be surprised if an eventual payment to Mondelez doesn't include some interest-like compensation for lateness so it's unlikely they're motivated by hanging on to it longer except as a means to reduce the principal amount.
Interestingly there is an opinion from Marsh LLC, part of Marsh and McLennan who are in the same business as Zurich and about the same size as Zurich, that is was NOT Cyber War.
[PDF]https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/NotPetya-Was-Not-Cyber-War-08-2018.pdf
I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.
I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.
That would set a precedent with a strong chilling effect on the market.
When you insure for fire damage (in a stable, industrialized country), there are well-documented protocols to follow for the insured: building codes, fire codes, inspections, etc. It's pretty easy for the insured to be in compliance and demonstrate that.
With IT-security insurance, there are few or no regulations, depending on the business. There are no standard independent inspections, and no agreement on what you'd inspect for. Potential insurance customers know they'd have a hard time showing they weren't negligent. So if insurers look like they're going to weasel out of paying claims, the market will discount the value of IT-security insurance to the point where it's no longer a viable product.
The IT-insurance market is enough of a mess already. Policies are ill-defined, claims may be hard to prove (fires leave a lot of evidence; rootkits not so much), data for actuarial analysis is thin, the market is immature (so risk pools are small and reinsurance harder to come by), and it's largely untested in court. Apparently Zurich America have decided to risk the last, but as others have noted, there's an excellent chance this will settle out of court.
Sure Cadbury's is much lower quality than Hotel Chocolat, quite significantly most would say. The main difference is most people are very fond of Cadbury's and don't fancy (or can afford) spending roughly 5 times the price for a product that at the end of the day is only giving you a short sense of pleasure.
@MyffyW oh, I agree with you. I personally like Cadbury’s - or did, prior to Mondelez’ dicking around with the recipe.
I was trying to be even-handed...had I sung its praises without qualification, I foresaw that I’d set off a chorus of “but Cadbury’s is dog chocolate, you should try $expensive_belgian_brand instead”.
MyffyW, have you actually tasted Cadbury's chocolate in the past few years? I agree that 20 years ago it was the best milk chocolate but consider it to be barely edible now, wouldn't even want it as a gift.
I used to work at Cadbury's in Bournville in the 70s and 80s. Happy days. Loved the smell of chocolate which fillewd the air for miles around.
Early in my career I worked for a large UK insurance company as a phone jockey and then a back office technical advisor (don't hate me I left the profession 15 years ago due to seismic shifts in the way it operated). More reject on spec and squeeze claims down to the bare minimum,
e.g. Claiming the claimant didn't have a sufficient sum insured and then paying a pro rata fraction of the amount the claim was worth. They facilitated this by getting the Loss Adjusters to inflate the cost of the claimants possessions and rebuild costs.
Since i was primarily dealing with large fire/water damage claims I found this repugnant since I was the appointed contact at the insurer for this type of stuff. Initially it was fine since I had the delegated authority to override the LA but this was reduced at my yearly audit the year before I left. When they started asking me to upsell on live claims I decided that was it, I wasn't helping people anymore.
The "act of war" definition applied to this claim rejection will be difficult to substantiate in court and any good lawyer should be able to knock it out to the point of gaining at least 50% - 80% of the settlement. The insurance company is banking on this, tell them "no", put the ball back in their court and see what they do. This is classic on large claims.
E.g. A recently published story in the UK about a homeowner who lost his £400,000 home to fire. The LA came out and rejected his claim on the basis he had declared at application he only had 5 bedooms. The LA decided he had 7 despite the fact the two extra rooms were too small to be considered bedrooms under local government guidelines. He went to the Ombudsman and lost (since the Ombudsman is essentially operated by the financial service companies). In court he would have no problem getting that overturned but its easier for the insurers just to say no and get the Ombudsman to back them on the more expensive stuff. This would have been considered a large claim so the insurance company would be looking for outs from the get go.
I know that home insurance and £100 million malicious IT damage claims seem worlds apart but the principle is the same. Always.
"Early in my career I worked for a large UK insurance company ... More reject on spec and squeeze claims down to the bare minimum,"
The insurance industry definitely does not have a good reputation, but I think it's more of a "varies by company" thing. Members of my family have worked at insurance companies more recently than you, and it was very much a different story there (they were also somewhat "scared" of the FOS, as they were upholding a lot of cases at that time).
"A recently published story in the UK about a homeowner who lost his £400,000 home to fire. The LA came out and rejected his claim on the basis he had declared at application he only had 5 bedooms. The LA decided he had 7 despite the fact the two extra rooms were too small to be considered bedrooms under local government guidelines."
Yeah, at first glance, that one didn't make too much sense to me either, although it's somewhat hard to know without all the details (e.g. there is a legally-defined minimum size for bedrooms).
Link to the story for those interested: https://www.thisismoney.co.uk/money/article-5550933/Our-house-burnt-insurer-refused-pay-said-7-bedrooms-not-five.html
"He went to the Ombudsman and lost (since the Ombudsman is essentially operated by the financial service companies)."
It's somewhat of a stretch to say that the FOS is "operated by the financial service companies" - it's funded by a levy/tax on them. It's previous head was very pro-consumer, which upset the industry, and was ultimately removed by George Osbourne and replaced by someone who was more pro-company - since then, there's been an increase in "interesting" decisions. Certainly the one time I had to use them (about 8 years ago, so prior to the change in leadership), they were very good.
I did say "essentially". Maybe by proxy would have been more appropriate.
Financial Service companies have serious lobbying influence on government (and therefore the FCA) and this was really what I was getting at.
Currently the FCA is understaffed with people with inadequate training and experience for the type of claims they are rendering decisions on (Channel4). Why is that?
I like to think when they are unsure of whether to side with claimant or not and seek counsel from the higher ups the response will be "Who's your Daddy?" since, as you point out, they are funded by levy.
A "stretch", I don't think so.
That's my opinion of insurance companies these days.
In over 60 years our family has made 2 claims on home insurance. In the first case, the loss adjuster actually increased the value dad had estimated, whereas for me they reduced the amount so much that the excess was more than the value of the actual loss.
I bet Mondelez opted for the cheapest insurance policy they could find and signed it without spending anywhere as much on lawyers to review the contract as they did on lawyers to draw up the contracts for their own customers ???????
I'm struggling to feel too much sympathy for them, truth be told. They were hardly a vulnerable customer.
Also, if their business nous is so bad that they bought a shit insurance policy, I'd be looking at my investments in them in a new light. Same way I would if a major UK business announced it had to write off a few million because their Nigerian Royalty project failed ....
"I'm struggling to feel too much sympathy for them, truth be told. They were hardly a vulnerable customer."
Do you only feel sorry for vulnerable people, when a company behaves like a total dick towards someone? So I'm not a vulnerable person, but I feel people should feel some sympathy if a company burned my house down and told me to fuck off.
"Also, if their business nous is so bad that they bought a shit insurance policy"
It isn't a shit insurance policy, the insurance company are -- what is the word? Ah, yes -- lying.
My view is this is more an attempt at setting a precedent than "getting" Mondelez.
The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.
The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...
Insurance company make (more) money by NOT paying claims.
Zurich has probably done the maths. To pay the claims is $100 mil. To go to court is between $5 mil and $10 mil. If Zurich lose, there's always an appeal and then drag this for another, say, 10 or so years. During that time Zurich will "reach out" and offer an out-of-court settlement for $25 mil. Still a win-win for Zurich.
After all with $100Million you can easily design your own computing platform including operating system and hardware. That would, at worst, be a bit more secure because it would be simpler and would obscure the rest of the bugs as it's more obscure. At best this would be a fundamentally new step towards more secure systems.
Of course selling insurance and not paying is a much easier way to make money.
Given that it was the UK govt that claimed it was an act of wat, with very little intelligence to back it up. One might assume Zurich have consulted their extensive legal panel. Does this imply that relatively unfounded govt statements can now carry considerable legal weight? If found for the claimant, then that would put the UK govt"s claim of an act off war on very shaky legal basis...
The policy that Mondelez is claiming against is a property policy not a cyber policy. So your heading is actually misleading. Property insurance markets usually only provide very limited cyber cover and likely Mondelez would know that if they have a good broker. If they purchased a cyber policy they would not have the restrictive language in the policy. What we have here is a company making a claim against a policy that was really not intended to broadly cover this type of loss in the hope that they can leverage their loss into an insurance policy not really intended to cover this type of claim.
It isn't Zurich at stake in this instance legally. It are the IT professionals involved.
Cyber crime, hacks, attacks, are a fact of every days life. That shouldn't be any surprise. What will come as a surprise to those IT professionals involved, perhaps they may be a crack in their field or discipline, I won't challenge that, but sure they haven't got any idea of automation? Here is the key for Zurich. Automation is what is key, not the manning, method, machine, called IT, which is the problem. If you don't have any idea of the 100% predictability of automation, yet are telling/yelling/hyping/selling that, every day, you must be up for the job.
Everybody assumes that it is an act of war, or debating that. Legally it is the inhibition of professionals not up for the job to understand the 100% predictability of digital automation. Ransomware is simple fact of today's world we live in. The IT professionals involved are to be aware of that and to think and implement ways, means and methods to reduce these risks. Can they prevent it entirely? Perhaps not. But the fact the, to prevented, instance here is so wide spread, it only is fair to address and challenge the level of the IT professionals involved.
For IT professionals reading this, regardless your discipline, field of expertise, your role in the IT chain, it is Digital Automation you are performing, your discipline, the means, equeipment, your discipline, called IT, is the way you automate. Legally you have a responsibility in every step of the way. If you don't understand the essentials and principles of automation, you legally have a challenge. You can be addressed legally if things go wrong.
All Zurich has to do is to advise Mondelez to turn to the involved IT professionals or IT service supplier(s).
I’m surprised Zurich didn’t query whether industry standard practices were followed. Like patching or providing controls around admin accounts - Maersk and WPP certainly had differing experiences between the parts of the business that were outsourced and the parts managed by in-house IT. And the scale of the damages was certainly related to IBMs inability to react to the needs of the business.
Or did Mondelez outsource IT to IBM and Mondelez lawyers are much less scary than IBMs?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
