US food giant Mondelez is suing its insurance company, Zurich after the insurer refused to pay out over $100 million in damages incurred during the NotPetya ransomware campaign.
The owner of Oreo and Cadbury brands claims it is owed the funds to pay for the irreversible damage done to 1,700 servers and 24,000 laptops, unfulfilled orders, and other disruptions to its operations. The company believes this incident falls under the policy’s provision to cover “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
Court documents indicate that Zurich originally intended to adjust the claim as Mondelez requested and even negotiated to make a $10 million interim payment but later refused to pay. Zurich claims that an exclusion applies in this case because NotPetya falls under a “hostile or warlike action in time of peace or war” by a "government or sovereign power”.
Last February the Five Eyes nations joined forces to blame Russia for the devastating NotPetya attacks in June 2017 when a mission to cause mass disruption to Ukrainian businesses and government agencies got out of control and spread via multinationals across the globe.
Despite their strong stance on the incident, the governments did not produce any hard evidence to back up their claims, which could make it hard for Zurich to prove its case against Mondelez. Mondelez described the refusal as “unprecedented” and is seeking $100 million in damages.
Some experts believe Zurich should have invoked a gross negligence clause because Mondelez was hit with the same ransomware twice.
This case represents the first serious legal dispute over how companies can recover the costs of a cyber-attack, as insurance companies look to shrink the scope of their liabilities. Should Zurich successfully argue its case in court and win, organizations across the globe would need to immediately review their policies and start looking for cyber-specific insurance policies.
As a CIS Certified vendor, we work closely with the Center for Internet Security (CIS) to provide a comprehensive suite of system hardening templates that can be leveraged to ensure all systems retain the most appropriate checks designed to harden your environment and protect from Ransomware.
We’ve also developed a powerful Ransomware Mitigation Kit, comprising the necessary automated vulnerability checks and Group Policy/Puppet templates to automatically fix any weaknesses identified.
Read this article on Dark Reading