LONDON — Within days of a cyberattack, warehouses of the snack meals firm Mondelez International full of a backlog of Oreo cookies and Ritz crackers.
Mondelez, proprietor of dozens of well-known meals manufacturers like Cadbury chocolate and Philadelphia cream cheese, was one of many lots of of corporations struck by the so-called NotPetya cyberstrike in 2017. Laptops froze all of a sudden as Mondelez workers labored at their desks. Email was unavailable, as was entry to recordsdata on the company community. Logistics software program that orchestrates deliveries and tracks invoices crashed.
Even with groups working across the clock, it was weeks earlier than Mondelez recovered. Once the misplaced orders had been tallied and the pc gear was changed, its monetary hit was greater than $100 million, in response to court docket paperwork.
After the ordeal, executives on the firm took some solace in figuring out that insurance coverage would assist cowl the prices. Or so that they thought.
Mondelez’s insurer, Zurich Insurance, stated it might not be sending a reimbursement verify. It cited a frequent, however hardly ever used, clause in insurance coverage contracts: the “war exclusion,” which protects insurers from being saddled with prices associated to break from struggle.
Mondelez was deemed collateral injury in a cyberwar.
The 2017 assault was a watershed second for the insurance coverage business. Since then, insurers have been making use of the struggle exemption to keep away from claims associated to digital assaults. In addition to Mondelez, the pharmaceutical big Merck stated insurers had denied claims after the NotPetya assault hit its gross sales analysis, gross sales and manufacturing operations, inflicting almost $700 million in injury.
When the United States authorities assigned accountability for NotPetya to Russia in 2018, insurers had been supplied with a justification for refusing to cowl the injury. Just as they wouldn’t be liable if a bomb blew up a company constructing throughout an armed battle, they declare to not be accountable when a state-backed hack strikes a pc community.
The disputes ares taking part in out in court docket. In a intently watched authorized battle, Mondelez sued Zurich Insurance final 12 months for a breach of contract in an Illinois court docket, and Merck filed a related swimsuit in New Jersey in August. Merck sued greater than 20 insurers that rejected claims associated to the NotPetya assault, together with a number of that cited the struggle exemption. The two instances might take years to resolve.
The authorized fights will set a precedent about who pays when companies are hit by a cyberattack blamed on a overseas authorities. The instances have broader implications for presidency officers, who’ve more and more taken a bolder strategy to naming-and-shaming state sponsors of cyberattacks, however now threat changing into enmeshed in company disputes by giving insurance coverage corporations a rationale to disclaim claims.
“You’re running a huge risk that cyberinsurance in the future will be worthless,” stated Ariel Levite, a senior fellow on the Carnegie Endowment for International Peace, who has written concerning the case. But he stated the insurance coverage business’s place on NotPetya is “not entirely frivolous, because it is widely believed that the Russians had been behind the attack.”
Mondelez stated in a assertion that whereas its enterprise had recovered rapidly from the assault, Zurich Insurance was chargeable for honoring an insurance coverage coverage that explicitly covers cyber occasions. The firm added that it didn’t imagine the struggle exemption clause match the circumstances.
Zurich Insurance, primarily based in Switzerland, and Merck declined to remark due to the energetic litigation. But court docket paperwork, public filings and interviews with folks accustomed to instances supplied particulars concerning the disputes.
Cyberattacks have created a distinctive problem for insurers. Traditional practices, like not overlaying a number of buildings in the identical neighborhood to keep away from the chance of, say, a massive fireplace don’t apply. Malware strikes quick and unpredictably, leaving an costly path of collateral injury.
“It cuts across practically every type of business activity,” Mr. Levite stated. The threat, he stated, “no longer can be contained in this interconnected world.”
NotPetya — which picked up the odd identify as a result of safety researchers initially confused it with a piece of so-called ransomware referred to as Petya — was a vivid instance. It was additionally a highly effective assault on pc networks that integrated a stolen National Security Agency cyberweapon.
American officers tied the attack to Russia and its conflict with Ukraine. The original target was a Ukrainian tax software maker and its Ukrainian customers. In just 24 hours, NotPetya wiped clean 10 percent of all computers in Ukraine, paralyzing networks at banks, gas stations, hospitals, airports, power companies and nearly every government agency, and shutting down the radiation monitors at the old Chernobyl nuclear power plant.
The attack made its way to the software maker’s global clients, eventually entangling Mondelez and Merck, as well as the Danish shipping conglomerate Maersk and FedEx’s European subsidiary. It hit even Russia’s state-owned oil giant, Rosneft.
In a statement in 2018, the White House described NotPetya as “part of the Kremlin’s ongoing effort to destabilize Ukraine” and said it had demonstrated “ever more clearly Russia’s involvement in the ongoing conflict.”
Many insurance companies sell cyber coverage, but the policies are often written narrowly to cover costs related to the loss of customer data, such as helping a company provide credit checks or cover legal bills.
Mondelez, a former unit of Kraft Foods, argues that its property insurance package should cover the losses from the NotPetya attack. In court filings, Mondelez said its policy had been updated in 2016 to include losses caused by “the malicious introduction of a machine code or instruction.”
The company lost 1,700 servers and 24,000 laptops. Employees were left to communicate through WhatsApp, and executives posted updates on Yammer, a social network used by companies.
Damage from NotPetya spread all the way to Hobart, Tasmania, where computers in a Cadbury factory displayed so-called ransomware messages that demanded $300 in Bitcoin.
Courts often rule against insurers that try to apply the wartime exemption. After hijackers destroyed a Pan Am airliner in 1970, a United States court rejected Aetna’s attempt, determining that the action was criminal, not an act of war. In 1983, a judge ruled that Holiday Inn’s insurance policy covered damage from the civil war in Lebanon.
In the Mondelez and Merck lawsuits, the central question is whether the government’s attribution of the NotPetya attack to Russia meets the bar for the war exclusion.
Risk industry experts say cyberwar is still largely undefined. Attribution can be difficult when attacks come from groups with unofficial links to a state and the blamed government denies involvement.
“We still don’t have a clear idea of what cyberwar actually looks like,” said Jake Olcott, vice president at BitSight Technologies, a cyber risk adviser. “That is one of the struggles in this case. No one has said this was an all-out cyberwar by Russia.”
In the past, American officials were reluctant to qualify cyberattacks as cyberwar, fearing the term could provoke an escalation. President Barack Obama, for example, was careful to say the aggressive North Korean cyberattack on Sony Entertainment in 2014, which destroyed more than 70 percent of Sony’s computer servers, was an act of “cybervandalism.”
That label was sharply criticized by Senators John McCain and Lindsey Graham, who called the hack a “new form of warfare” and “terrorism.”
The description of the Sony attack was deliberate, said John Carlin, the assistant attorney general at the Justice Department at the time. In an interview, he said the Obama administration had worried, in part, that the use of “cyberwar” would have triggered the liability exclusions and fine print that Mondelez is now challenging in court.
Scott Kannry, the chief executive of the risk assessment firm Axio Global, said the insurance industry was watching the Mondelez case closely because many policies were created before cyberattacks were such an urgent risk.
“You have insurers who are sitting on insurance policies that were never underwritten or understood to cover cyber risk,” Mr. Kannry said. “Zurich didn’t underwrite the policy with the idea that a cyber event would cause the kind of losses that happened to Mondelez. Nobody is at war with Mondelez.”
Many insurance companies are rethinking their coverage. Since the lawsuits were filed, Shannan Fort, who specializes in cyberinsurance for Aon, one of the world’s largest insurance brokers, has been fielding calls from companies scrambling to be sure they’ll be safe if attacked, she said.
“I don’t want to scare people, but if a country or nation state attacks a very specific segment, like national infrastructure, is that cyberterrorism or is that an act of war?” Ms. Fort asked. “There is still a bit of gray area.”
Ty Sagalow, a former chief operating officer at the insurance giant A.I.G., helped pioneer the market for cyber risk insurance nearly two decades ago. He said his team had contemplated a “Cyber Pearl Harbor” attack not unlike the NotPetya attack.
“Cyberwar and cyberterrorism has always been a tricky area,” Mr. Sagalow said. Insurers risk abusing the war exclusion by not paying claims, he said, particularly when an attack “can hit companies that were not the original target of violence.”
Collateral damage from attacks that get out of control are going to become more and more common, he added. “That is what cyber is today,” Mr. Sagalow said. “And if you don’t like it, you shouldn’t be in the business.”