For one company hit big by NotPetya, their insurance company is refusing to pay out on their policy’s cyber attack coverage

NotPetya is the globe’s worst cyber attack so far

To date, first place for the most destructive cyber attack the world has ever seen goes to NotPetya. It struck in the summer of 2017, perhaps most memorably impacting Maersk, the Danish shipping company. For them, their network was so corrupted, their IT staff was rendered helpless. Employees ran through company halls shouting to other workers to turn their computers off in a desperate effort to stem the disastrous flow. Ships carrying tens of millions of tons of cargo - up to a fifth of the world’s shipping capacity - literally were stuck dead in the water.

Screenshot of NotPetya

But Maersk was not the only victim. NotPetya wreaked havoc worldwide, fueled by EternalBlue, the hacking tool originally created by US’s National Security Agency (NSA) and leaked into the wild by the Shadow Brokers. NotPetya’s cost to the world has been estimated at $10 billion in total damages, passing even WannaCry, which came in between $4-8 billion. Other companies impacted include Merck, Fed-Ex, and Mondelez. All these companies and others faced 9-figure costs in damages along with months of recovery.

Mondelez suffered $100M in damages – but they had cyberinsurance

Mondelez is a large food manufacturing company, behind the recognizable brands such as Nabisco, Oreo, belVita biscuits, Cadbury and Toblerone chocolate and Trident gum. Their systems run on Windows-based software, precisely what NotPetya attacked. They suffered property damage and disruption to their supply and distribution channels, which led to inability to fulfill customer orders, lower margins and revenue losses over $100,000,000. Another staggering impact.

They at least had hopes of being able to recover some of those losses from their cyber insurance policy it had with Zurich American Insurance. But now, instead of being covered on its claim, Mondelez is suing Zurich for backing out of paying.

Ransom note

What happened?!

Mondelez had covered itself with a cyber insurance policy, or so it thought. The policy wording said coverage was provided for “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” That coverage meant Mondelez could recoup damages for loss or expenses from impact to, or interruption of, their business due to failure of their electronic systems or equipment due to cyberattack. One would think that covers NotPetya’s destruction and pay out should ensue.

No payment for warlike attacks

Not so fast. The policy had an exclusion for hostile or warlike actions, including “action in hindering, combating or defending against an actual, impending or expected attack” by any of the following:

(i) government or sovereign power (de jure or de facto);

(ii) military, naval, or air force; or

(iii) agent or authority of any party specified in (i) or (ii) above.

Zurich initially was going to pay at least a partial amount, but now they are adhering fully to the position that NotPetya was a hostile or warlike action by a “government or sovereign power.” Taking this position means they have to identify the perpetrator and prove they are guilty of committing the warlike act. That’s not an easy task. Even given that many countries have already called the attack an act of cyberwar by a nation state, as well as naming Russia as responsible. Even the US has blamed Russia for sending out the NotPetya ransomware with Ukraine as their target and it went out of control beyond even their intentions. But believing or knowing it to be true and proving it in court are different things. 

What’s at stake pending the court decision?

Where the judge lands on this case will be interesting to see. The decision is consequential to multiple parties – to companies with insurance, to individual insurance companies and the insurance industry as a whole. Many advanced cyber attacks that have caused tremendous damage could be considered nation-state attacks (WannaCry included). Will all insurance companies now hide behind exclusion clauses and not pay out on these cyber attacks?

While damages and payouts for cyber attacks clearly can be huge, if enough companies carry coverage and are not compromised, it remains a worthwhile business in the insurance industry. But if the insurance companies refuse to pay out on claims, their clients could deem them unreliable and pull their policies, resulting in a loss of revenue in the industry and a loss of protection to the companies that contracted with them.

This is a court case to watch.