A single lawsuit could increase global business risk by many billions overnight
NotPetya, continues to be an unprecedented piece of malware which we estimated topped $10 billion in damages.
The exploit mimicked Petya ransomware but infected systems were not held hostage for ransom, their data was scrambled via AES-128 encryption making them effectively useless. It used a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them.
The exploit was disseminated via a hijacked software update for a Ukrainian tax software tool and via phishing emails.
In court papers filed in Illinois, Mondelez said it had been hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered “permanently dysfunctional”.
Mondelez made a claim for the costs on its property insurance policy that, it said, provided cover for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”.
According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for “a hostile or warlike action” by a government or sovereign power or people acting for them.
Mondelez described Zurich’s refusal as “unprecedented” and is seeking $100m in damages. Both companies declined to comment on the case.
In February 2018, the U.K. officially blamed Russia for the unusually powerful cyberattack. The U.S., Canada and Australia quickly followed as part of what was revealed later to be a coordinated diplomatic action. The official statement from the White House called the malware “part of the Kremlin’s ongoing effort to destabilize Ukraine” and said it demonstrated “ever more clearly Russia’s involvement in the ongoing conflict.” Cybersecurity companies found that the attack had first struck in Ukraine.
The challenge is, Zurich will need to prove NotPeta was an act of war.
They could argue however that war does not formally need to be declared. In fact, Since 1945, developments in international law such as the United Nations Charter, which prohibits both the threat and the use of force in international conflicts, have made declarations of war largely obsolete in international relations.
It seems the definition of war – like dating, has been forever altered thanks to the internet.
And if the court agrees, it could mean NotPetya and many other attacks can be considered acts of war.
As a result, corporations need to be ever-vigilant when reviewing their insurance and cyber insurance policies.
Increasingly, cyber attacks will be attributed to nations. Moreover, technology exists which allows attackers to appear as if they are originating from a different country meaning determining liability may get more difficult over time.
In authoritarian, communist and even socialist countries, could it not be argued that actions are inherently being taken on behalf of the government meaning an attack from a certain country is warlike?
The point is, this lawsuit could drastically increase the cyber exposure of numerous organizations – depending on the outcome of course.
Insurance policies need to be spelled out clearly and should include provisions for coverage in the event of cyberterrorism and other now foreseeable scenarios.
Using a service like Phish360 companies can drastically reduce their cyber risk from phishing attacks. Phish360 is free to try and is one of the most effective ways to improve the cybersecurity of every organization.