[ Pour lire cet article en français, veuillez cliquer ici ]
20 January 2019 – The International Cybersecurity Forum in Lille, France (FIC2019) is a platform aiming to promote a pan-European vision of cybersecurity as well as to strengthen the fight against cybercrime. It has fast become THE reference event, bringing together all major actors of digital trust. This year we’ll have over 8,700 visitors, 350+ vendors and partners, and over 80 countries represented.
There is no better place than FIC2019 to:
– learn about cyber technology, cyber warfare and cyber security
– have the opportunity to meet the major players in cyber security and take stock of the tendencies and trends regarding cyber attacks, and especially of the solutions now that this problem is becoming so critical and so more general
And on the eve of FIC2019 looms the first serious legal dispute over how companies can recover the costs of a cyber attack, as insurance groups seek to tightly define their liabilities.
The case involves Mondelez, the U.S. food company that owns the Oreo and Cadbury brands, which is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack.
This is a pretty big deal. As a cyber law specialist, I’ve never seen an insurance company take this position. And I have yet to see an insurance policy that does not exclude an act of war. This is going to send ripples through the insurance industry. Major companies are going to rethink what’s in their policies.
There are really two key questions that have remain unresolved:
- Who makes the determination of whether or not a malicious cyber incident that originated from a nation-state triggers the exclusion?
- There is a question regarding what is the threshold of malicious cyber activity that would be considered an act of war? Does merely exposing emails count?
And more intriguing, the case comes as U.S. Department of Defense leaders have remade their cybersecurity strategy in recent months to emphasize the department’s ability to operate on enemy networks but to do so below the threshold of war.
Also, remember this case is not the first time such a large sum has been discussed for such cyber attacks. When Sony suffered a cyberattack from North Korea in 2014 after the planned release of its movie “The Interview,” which depicted the murder of Kim Jong Un, the company received $100 million in damages from its insurance company.
Background
The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world’s largest shipping group.
It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government. The Kremlin has denied any involvement.
My media team has been in Illinois where the case was filed and is tracking the court filings. At the end of this post I have a link to the original complaint. I will keep readers informed as the case progresses.
In brief, Mondelez said it had been hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered “permanently dysfunctional”. Mondelez made a claim for the costs on its property insurance policy that, it said, provided cover for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”.
According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for “a hostile or warlike action” by a government or sovereign power or people acting for them. Mondelez described Zurich’s refusal as “unprecedented” and is seeking $100m in damages. Both companies declined to comment on the case.
I have spoken to several insurance brokers and they all agree it is a pretty bold move to rely on a war exclusion for a state-sponsored hack. Nobody has raised this exclusion before. The insurer would have to prove it and it’s so hard to prove attribution. And exclusions for terrorism and war were “a bit of a grey area” but I think it unlikely that the policy’s authors would have had such cyber attacks in mind when inserting the exclusion.
But the claim gets to the heart of one of the insurance industry’s biggest worries about cyber attacks. While there is a booming market for cyber-specific insurance policies, many companies make claims for cyber attacks on their non-cyber policies, as Mondelez has done. Insurers are concerned about the full extent of this so-called “silent cyber exposure”, and experts said Zurich could be testing the courts on this point. It is a large loss on a non-cyber policy. This would be a silent cyber claim and insurers are trying to weed out that coverage.
Nevertheless, the case could have wide implications for the insurance market, potentially pushing insurance buyers to either buy cyber-specific policies or demand tighter terms for their non-cyber coverage.
To read the original complaint click here.
NOTE: you can follow all the action next week on Twitter following the hashtag #FIC2019 and the event Twitter account @FIC_fr, as well as our Twitter account @ediscoverycloud which will be Tweeting in French and English.