I’m sure everyone has heard it before: commentators, pundits, and even members of the 809 Panel have stated that “we are at war!” Most of these claims revolve less around ground combat or air battles than the fact that more countries are investing in and deploying cyber assets to destroy not just the defense networks of other countries, but their economic systems as well. Thus, it stands to reason that some of the cyber threats seen in the wild are not just from random hackers in basements or dark apartments, but from state actors or quasi-state actors operating directly or indirectly at the behest of governments. Further, there are even more hackers working for terrorist organizations criminal enterprises financially connected to terror organizations, or “lone wolf” actors whose motives some would contend to be “terrorist” in nature. This fact runs headlong into a provision contained in many cyber insurance contracts that state the insurer does not have to pay for incidents caused by an “act of war” or “act of terror.” It is this very exclusion that is at play in recent a multi-million dollar lawsuit. Specifically, if the insurance company defendant prevails and more insurers attempt to use this exception to avoid paying for damages caused by malware suspected of being tied to state actors or terrorist organizations, cyber insurance could become virtually worthless.
Specifically, a large international snack food company, Mondelez International, Inc., is suing its cyber insurance company, Zurich American Insurance Company, for $100M after Zurich refused to pay for damages incurred due to a “NotPetya” ransomware attack. During the attack, Mondelez lost thousands of servers and laptops. You may think that ransomware was the entire reason you bought cyber insurance, so how can this be? In a word, “war”. See Mondelez Int. v. Zurich Am. Insurance, 2018-L-011008 (Cir. Ct. Cook County, Ill., Law Div.).
Taking a step back, it is important to understand what “NotPetya” is. “NotPetya” is a type of malware that effectively locks all of an infected computer’s data behind a paywall by encrypting said data. Unless the victim pays a ransom, usually in some form of cryptocurrency (hence the term “cryptolocker” as another euphemism for this kind of malware), the user’s data will be encrypted and unusable forever. If the user pays the ransom, the hacker will supposedly “unlock” or decrypt the data. So you may think “how is some bit of random ransomware an ‘Act of War’ or ‘Act of Terror?’” Well, according to the UK government, “NotPeya” was created by Russian hackers trying to harm Ukraine during the Russian annexation of Crimea. Thus, this particular ransomware was developed to cause chaos within Ukraine for a political purpose, and it was allegedly made by a state actor (despite the Russian government denying the allegations). For this reason, Zurich has argued that “NotPetya” was not mere malware, but actually the product of a hostile action of the Russian government, i.e., an “act of war.” For this reason, Zurich denied the claim.
Should Zurich win this case, it would mean that any malware with an alleged connection to any state actor, terror group, organized crime syndicate with links to terror organizations, or even individual actor with a political motive would be excluded from coverage by cyber insurance policies. Given that so many of the most widespread and damaging malware in existence (see WannaCry, Flame, Petya, NotPetya, Gauss, etc.) are thought to be connected to state actors or terror groups, that would basically make cyber insurance a complete waste of money—like having flood insurance that does not cover floods caused by rain. This is something to keep in mind for anyone with a cyber insurance policy and for those looking for such policies.
It also shows that actively training employees to avoid falling victim to phishing and other social engineering attacks, where most of these exposures happen, is critical to protecting your company. Be proactive, be smart, and make sure every employee from the top to the bottom understands these threats and how to identify them.