Skip to main content
Top Button
What Happens When North Korea Attacks Your Company? Will Your Cyber-Insurance Cover You? A Perspecti What Happens When North Korea Attacks Your Company? Will Your Cyber-Insurance Cover You? A Perspecti

What Happens When North Korea Attacks Your Company? Will Your Cyber-Insurance Cover You? A Perspective on the Zurich-Mondelez Dispute

Cyber-breaches attributable to nation-state hackers continue to grow in number and severity, whether for theft of intellectual property, to steal money or to destroy the targeted business/sector. Now an insurance dispute has posed the question—should there be coverage for a “nation-state” attack or does this fall within the “acts of war” exclusion that almost all insurance policies contain?
 
For companies that have wisely invested in cyber-related insurance to mitigate aspects of cyber-risk that are not cost-effectively dealt with through technology, training or controls, the dispute raises a number of good questions. At a 30,000 foot level, the dispute raises the question as to whether the identity of the attacker should matter, even when the attack is not particularly technically sophisticated. At a more practical level, the question arises around attribution—a challenging task for the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Department of Justice (DOJ)—and how private-sector companies would reach high-confidence conclusions without ready access to classified or law enforcement information.
 
Can Attribution to a Nation-State Hacker Equal War Exclusion?

Mondelez is a public company that owns major brands like Oreo and Cadbury. In 2017, Mondelez, along with a number of other public companies, was impacted by the NotPetya malware. NotPetya is a type of destructive ransomware that caused business interruption-level consequences for affected companies across the world. The attack was attributed to a malware implant that infiltrated affected systems via an update to the software of an accounting company located in the Ukraine. Eventually attributed to Russian hackers, United States government sources have pointed the finger to Russian government entities, which have operated aggressively in the Ukraine, especially since Russia’s takeover of the Crimea.
 
Mondelez had procured insurance policies to mitigate losses stemming from a cyber-attack and consequently filed a $100 million claim for damages caused by the NotPetya cyber-attack, which Zurich Insurance Group denied. Mondelez then brought suit against Zurich for alleged breach of contract, promissory estoppel and vexatious and unreasonable conduct.[1] According to the suit, Mondelez’s property insurance policy covered “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction…”[2] Zurich has taken the position that the NotPetya incident was a “hostile or warlike action” and fell under the commonly referred to “war exclusion” under the property policy.

Zurich’s Stance Appears Out of Step with the Industry

The impact of the NotPetya ransomware incident globally was more than $10 billion in damages, an astounding figure that includes $300 million in disclosed losses for two other publicly-held companies. Much of the loss was attributed to the temporary shutdown of business operations, which was required to stop the NotPetya ransomware from spreading inside affected networks.
 
  • We believe this is the first publicly reported case where an insurance company has invoked the war exclusion to deny coverage of a cyber-incident under a property insurance policy.
  • In that respect, Zurich’s decision appears to be out of step with the rest of the sector and is, therefore, being closely watched.
When an insurance company denies coverage based on an exclusion within a policy, it bears the burden of proof to show that the exclusion applies[3]. Zurich will, therefore, likely need to establish that the NotPetya cyber-attack was a state-sponsored attack that falls under the war exclusion.
 
  • Under the typical insurance dispute scenario, Zurich would need to provide proof showing the NotPetya cyber-attack was performed by state-sponsored attackers as an act of war by a government or sovereign power.
  • While the United States and the United Kingdom have placed blame on Russian hackers for the NotPetya cyber-attacks, Russia and the Kremlin have denied any involvement, and proof of the nation-state attribution may be difficult to produce given the sensitivity around sources and methods used by the government as well as the different levels of certainty for a decision taken for political purposes and that of a court proceeding.
A related question that could play a factor in the dispute is whether the attribution issue should matter at all. The reason the “acts of war” exclusion exists in insurance policies is that it is simply unrealistic to expect an insurance company to bear the massive and unpredictable costs that come with military action. But a cyber-breach or ransomware incident, even one on the scale of NotPetya, is more predictable, some would say very likely, and while costly, does not approach the total destruction that is entailed in any military conflict. In fact, Mondelez has alleged that Zurich’s denial of coverage in this manner is “unprecedented” in applying the war exclusion to “anything other than conventional armed conflict or hostilities.”[4]
 
Moreover, the NotPetya attacks could just as easily have been carried out by many non-state hackers. The NotPetya ransomware did not rely on high-end “nation-state” technology, the likes of which often have been used in the Middle East, and only the year before, “WannaCry” had a similarly widespread impact on companies and governments in what appeared to be an attempt to extort money. Many nation-state attacks, such as the Russian efforts against the Democratic National Committee or the North Korean theft of funds from Bangladesh, use basic approaches that many organized hacking groups also employ.
 
This does not mean a “war exclusion” is without justification in the cybersecurity landscape – for example, a widespread take-down of an electric grid, much like the Russian attacks in the Ukraine, could have widespread impacts on the scale of a military attack, including loss of property and life. In such a scenario, there is a high risk the insurance sector will be quickly overwhelmed by a large number of claims in one area or one sector, resulting in a potential market failure. As such, the Mondelez-Zurich dispute may helpfully add to a broader discussion around the limits of insurance for cyber-attacks and where a government back-stop may be advisable, similar the approach taken after 9/11 for terrorism coverage.
 
At a more practical level, this case highlights the need for companies to scrutinize their insurance policies to be sure that incidents such as cyber-related losses will be covered, to push for narrowly tailored exclusions within the policies and to practice good cybersecurity that focuses on the simple fundamentals, which are also the most difficult to do well.
 
Cyber-Attacks Increasingly Raise Risks of Physical Damage/Injury

In order for a claim to be approved under a property insurance policy, the cyber-attack would need to fall within the limits of the policy and take into account differing explanations and exclusions, including the war exclusion. Property insurance policies provide coverage when there is damage to property. Until recently, there have been very few publicly reported cyber-attacks that have led to actual physical damage. This is changing, and with the proliferation of more control devices and Internet of Things-related applications, the risk is growing quickly.Among notable attacks that had a “kinetic” dimension:
 
  • The “shamoon” attacks on Saudi Aramco, attributed to Iran in 2012 and 2014, resulted in the effective destruction of tens of thousands of computers, which had to be replaced after the hard drives had key sectors “wiped” rendering them useless.
  • Russian hackers have regularly used multi-pronged attacks against the Ukraine, causing large-scale shutdowns of the electric grid with some collateral damage, including a significant attack in December 2015.
  • In 2015 it was reported that an unnamed German steel mill suffered a cyber-attack that manipulated and disrupted control systems in a way that prevented their blast furnace from properly shutting down. The cyber-attack led to massive physical damage to the steel mill.[5]
Cyber-Policies Are More on Point Than Property Policies

Increasingly, companies have many other options for insurance coverage for cyber-attacks, hacking or other cyber-related incidents. Tailored cyber-specific policies are now practically a requirement for most medium- and large-scale companies. While the insurance market in cyber is still quite immature relative to other types of losses, the product lines for most major insurers are far more sophisticated than even one to two years ago. A key consideration is that the objective for cyber-coverage should be to fill in the gaps where your technology, training and controls cannot realistically be expected to provide a layered defense at a reasonable cost.
 
  • For example, phishing is difficult to defend against and with more hackers relying on “living off the land” exploits that use the software built into the targeted system to carry out their attack, the likelihood of some successful hack is nearly 100 percent. Recovery is therefore more important, and insurance coverage to enable that to happen quickly is paramount.
Small businesses are also increasingly good candidates for cyber-insurance. In 2018 the majority (58%) of malware attack victims were categorized as small businesses.[6] And while metrics on the impact of cyber-attacks are still not comprehensive, most studies show that a significant majority of small- and medium-size businesses that suffer a breach end up going out of business, in many cases because the cost of recovery exceeds their revenues.

For more information on cybersecurity, please contact Guillermo Christensen, Rachel Spiker, or another member of our Data Security and Privacy Team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
[1] MONDELEZ INTERNATIONAL, INC., Plaintiff, v. ZURICH AMERICAN INSURANCE COMPANY, Defendant., 2018 WL 4941760 (Ill.Cir.Ct.)
[2] Id.
[3] Id.
[4] Id.
[6] Verizon.  2018 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/
View Full Site View Mobile Optimized