Author: Adam Satariano and Nicole Perlroth / Source: New York Times
Christina Chung
LONDON — Within days of a cyberattack, warehouses of the snack foods company Mondelez International filled with a backlog of Oreo cookies and Ritz crackers.
Mondelez, owner of dozens of well-known food brands like Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the so-called NotPetya cyberstrike in 2017. Laptops froze suddenly as Mondelez employees worked at their desks.
Email was unavailable, as was access to files on the corporate network. Logistics software that orchestrates deliveries and tracks invoices crashed.Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents.
After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought.
Mondelez’s insurer, Zurich Insurance, said it would not be sending a reimbursement check. It cited a common, but rarely used, clause in insurance contracts: the “war exclusion,” which protects insurers from being saddled with costs related to damage from war.
Mondelez was deemed collateral damage in a cyberwar.
The 2017 attack was a watershed moment for the insurance industry. Since then, insurers have been applying the war exemption to avoid claims related to digital attacks. In addition to Mondelez, the pharmaceutical giant Merck said insurers had denied claims after the NotPetya attack hit its sales research, sales and manufacturing operations, causing nearly $700 million in damage.
When the United States government assigned responsibility for NotPetya to Russia in 2018, insurers were provided with a justification for refusing to cover the damage. Just as they wouldn’t be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network.
The disputes are playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption. The two cases could take years to resolve.
The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.
“You’re running a huge risk that cyberinsurance in the future will be worthless,” said Ariel Levite, a senior fellow at the Carnegie Endowment for International Peace, who has written about the case. But he said the insurance industry’s position on NotPetya is “not entirely frivolous, because it is widely believed that the Russians had been behind the attack.”
Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events. The company added that it did not believe the war exemption clause fit the circumstances.
Zurich Insurance, based in Switzerland, and Merck declined to comment because of the active litigation. But court documents, public filings and interviews with people familiar with cases provided details about the disputes.
Cyberattacks have created a unique challenge for insurers. Traditional practices, like not covering multiple buildings in the same neighborhood to avoid the…
The post Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. appeared first on FeedBox.