Cyber-Insurance And (Not) You: NotPetya and Zurich

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it’s ‘an act of war’:

Snack company client disagrees, sues for $100m
US snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya ransomware infection was rejected – for being “an act of war” and therefore not covered under its policy.
Zurich American Insurance Company has refused to pay out on a Mondelez policy that explicitly stated it covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
The claim stems from the 2017 NotPetya cyberattack: a Windows-based piece of ransomware that encrypted a hard drive’s file system table and prevented the system from booting. The code then demanded that a Bitcoin payment be made to regain access. Mondelez says it lost 1,700 servers and 24,000 laptops as a result of the malware.

The Register has an almost uncharacteristically restrained take on this. This bit about Zurich trying not to pay out is particularly interesting:

That is a very unusual position to take – Mondelez called it “unprecedented” in court papers – since the insurance company will be obliged to prove that it was in fact the Russian government that had carried out the attack as a hostile action. It is notoriously difficult to pin cyberattacks on specific groups, governments or organizations.
If Zurich does succeed in arguing in case in court and wins, it would have an immediate impact, causing all large companies to review their policies and most likely creating a new market in cyberattack insurance almost overnight.

Why did Zurich come to this conclusion? Infosecurity provides a good summary.
Zurich Refuses to Pay Out for NotPetya ‘Act of War’:

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.
“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.
However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.
… NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

I thought this analysis was interesting in that a security practitioner provided it and not someone from the insurance sector (from the same article):

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.
“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn’t happen again,” he added.
“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich’s own policy?”

ZDNet offers their own take in NotPetya an ‘act of war,’ cyber insurance firm taken to task for refusing to pay out:

NotPetya is a type of ransomware similar to Petya but it received a raft of upgrades and increased in sophistication before being released to the point researchers separated the malware out into its own family.
The ransomware will often use the EternalBlue and EternalRomance exploits to propagate. Once executed on a vulnerable Windows machine, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransomware note which demands $300 in Bitcoin (BTC).
As reported by Bloomberg, the Mondelez-Zurich dispute has been given an interesting facet in the field of cyber insurance due to attribution, and one which has the potential to prompt insurance companies worldwide to reexamine their policies.
… While the insurance policy covered “physical loss or damage to electronic data, programs, or software” by way of “the malicious introduction of a machine code or instruction,” Zurich apparently chose not to pay up, citing the NotPetya spread as “hostile or warlike action in time of peace or war,” which, therefore, voided the claim.
Marsh & McLennan argues, however, that as NotPetya struck non-military targets who operated “at places far removed from the locale or the subject of any warfare;” the damage caused was purely economic rather than resulting in any loss of life or injury, and “the chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for “coercion or conquest,” which the war exclusion was intended to address.”
“As cyber-attacks continue to grow in severity, insurers and insurance buyers will revisit the issue of whether the war exclusion should apply to a cyber incident,” said Matthew McCabe, senior VP of Marsh. “For those instances, reaching the threshold of “warlike” activity will require more than a nation-state acting with malicious intent […] most nation-state hacking still falls into the category of criminal activity.’

This confluence of cyber-insurance, attribution, and security hygiene will prove interesting to see play out. I’m no fan of attribution generally and think too many organizations look at cyber-insurance as a “get out of jail free” card for immature security hygiene and responsibility avoidance.
As I have no particular insight into this specific case other than what the press reports. I will stay tuned (via the above ZDNet citation):

The case, filed with the Cook County court in Illinois (case: 2018 L 011008), alleges that Spanish food giant Mondelez’ insurance company Zurich did not pay out following the attack, which took place in 2017.

Be nice with what you write.