[BreachExchange] SHOULD INSURERS PAY DAMAGES CAUSED BY RANSOMWARE?

Tue Jan 15 03:10:00 EST 2019

https://www.securitynewspaper.com/2019/01/12/should-insurer-pay-damages-caused-by-ransomware/

The company argues that its insurance does not cover damage caused “by
Acts of war”

According to network security and ethical hacking specialists from the
International Institute of Cyber Security, the American company
Mondelez, dedicated to food, beverages and snacks, has decided to sue
its insurance company by an estimated figure of $100M USD. According
to the reports, the company claims that its insurer has refused to
cover the damage caused by an infection of NotPetyaransomware, arguing
that this infection is part of a “cyber war campaign”, scenario that
is not covered by the insurance policy.

Zurich American Insurance Company has refused to pay a policy which
explicitly mentions that its insurance “covers all risks of loss or
physical, data, programs or any software damages, including damage
caused in the event of malicious software injection in the Mondelez
infrastructure.”

This claim originated during the outbreak of the ransomware NotPetya
in 2017. According to experts in network security, it is a
Windows-based malware capable of encrypting the file system table of a
hard drive, preventing the system from starting. The company claims
that due to this attack it lost 1 700 servers and 24 000 portable
computer equipment.

The United Kingdom government, supported by evidence gathered by
multiple network security experts, said the Russian government was
behind the NotPetya attack, which also affected Ukraine’s energy
infrastructure, but the Russian authorities have repeatedly denied
such accusations.

Multiple private companies were also affected by NotPetya. Maersk
shipping company, for example, claims to have lost about $300M USD due
to these attacks; On the other hand, FedEx reported losses for a
similar amount. It is estimated that insurance companies should spend
about $80 billion USD to cover their policies.

After analyzing the Mondelez sue; Zurich insurance company began
investigating the case with the intention of reducing the economic
claims of the American company. Although Zurich offered Mondelez an
initial payment of $10M USD, the insurer has denied what is claimed in
the lawsuit, alleging that there is a “hostile or warlike action” or
“government intervention” exclusion clause.

According to reports of experts in network security, the insurer
argues that the attack was provoked by the Russian government as an
act of war, a scenario that does not cover the Mondelez’s insurance
policy.

This is an unprecedented case, although Mondelez argues that the
insurer must demonstrate that, indeed, the Russian government is
behind these attacks, which is a difficult task.

It is believed that, if the case was won, the Zurich insurer would
establish a precedent in which this class of companies began to revise
their policies, generating a new offer in protection against cyber
threats.