“You have insurers who are sitting on insurance policies that were never underwritten or understood to cover cyber risk,” Mr. No one has said this was an all-out cyberwar by Russia.” “That is one of the struggles in this case. “We still don’t have a clear idea of what cyberwar actually looks like,” said Jake Olcott, vice president at BitSight Technologies, a cyber risk adviser. Attribution can be difficult when attacks come from groups with unofficial links to a state and the blamed government denies involvement. Risk industry experts say cyberwar is still largely undefined. In the Mondelez and Merck lawsuits, the central question is whether the government’s attribution of the NotPetya attack to Russia meets the bar for the war exclusion. In 1983, a judge ruled that Holiday Inn’s insurance policy covered damage from the civil war in Lebanon. After hijackers destroyed a Pan Am airliner in 1970, a United States court rejected Aetna’s attempt, determining that the action was criminal, not an act of war. It hit even Russia’s state-owned oil giant, Rosneft.ĭamage from NotPetya spread all the way to Hobart, Tasmania, where computers in a Cadbury factory displayed so-called ransomware messages that demanded $300 in Bitcoin.Ĭourts often rule against insurers that try to apply the wartime exemption. The attack made its way to the software maker’s global clients, eventually entangling Mondelez and Merck, as well as the Danish shipping conglomerate Maersk and FedEx’s European subsidiary. In just 24 hours, NotPetya wiped clean 10 percent of all computers in Ukraine, paralyzing networks at banks, gas stations, hospitals, airports, power companies and nearly every government agency, and shutting down the radiation monitors at the old Chernobyl nuclear power plant. The original target was a Ukrainian tax software maker and its Ukrainian customers. It was also a powerful assault on computer networks that incorporated a stolen National Security Agency cyberweapon.Īmerican officials tied the attack to Russia and its conflict with Ukraine. NotPetya - which picked up the odd name because security researchers initially confused it with a piece of so-called ransomware called Petya - was a vivid example. The risk, he said, “no longer can be contained in this interconnected world.” “It cuts across practically every type of business activity,” Mr. But court documents, public filings and interviews with people familiar with cases provided details about the disputes. Zurich Insurance, based in Switzerland, and Merck declined to comment because of the active litigation. The company added that it did not believe the war exemption clause fit the circumstances. Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events. But he said the insurance industry’s position on NotPetya is “not entirely frivolous, because it is widely believed that the Russians had been behind the attack.” “You’re running a huge risk that cyberinsurance in the future will be worthless,” said Ariel Levite, a senior fellow at the Carnegie Endowment for International Peace, who has written about the case. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims. The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government.
0 Comments
Leave a Reply. |