Any company that became a victim of ransomware has many expenses to expect. First in the list is the cost of the ransom payment demanded by the ransomware author. Companies with no reliable backup system in place that can recreate the lost data have no other choice but to hire professionals to rebuild the lost data from scratch, which almost always come at a premium price. Where will a non-tech giant company source their fund in order to recover from a devastating ransomware then? Remember, the cost of repairing from a damaged brand due to the ransomware episode is not yet computed in this case.
Enter insurance companies; they are the ‘savior’ of those that are in dire shape, especially at the wake of a cyber attack or a malware outbreak. It is unfortunate, as not all insurance institutions are supporting their clients in their time of need. Some will use lawyer-speak to basically evade from paying the insurance claims of ransomware victims, just like what Zurich Insurance Group did. With the use of clever language in the insurance policy, Zurich is insisting not to pay Mondelez International Inc., a food-producing firm their insurance benefit after falling for NotPetya ransomware. “Hostile acts by sovereign actors” cannot be used as a basis for an insurance claim, as per Zurich Insurance Group’s policy.
As of this writing, it is not yet known if other insurance vendors have similar or counterpart policy to what Zurich has. This is very bad news for Mondelez International Inc., as the Insurance money will be a great help in order to recover their damaged brand, caused by the disruption of their day-to-day operations, especially in processing customers’ orders.
“Essentially, Zurich’s position is that NotPetya was a ‘hostile or warlike action’ by a ‘government or sovereign power.’ In fact, NotPetya is widely viewed as a state-sponsored Russian cyber attack masquerading as ransomware that was designed to target Ukraine but inadvertently spread globally. Russia denies these allegations. As the carrier, Zurich has the burden to prove that the exclusion applies. In other words, Zurich has to prove that NotPetya was a hostile or warlike act by a government or sovereign power – specifically Russia. Attribution for cyber attacks has improved recently, but Russia has denied any allegation that it instigated NotPetya,” explained Robert Stines, a Professional Liability Defense Cyber Lawyer.
If proven effective, this technique for evading the payment of Insurance claims will become the norm and will be copied by other insurance vendors. Such legal environment will be a very dangerous precedent, as the victim may end-up just filing for bankruptcy as they cannot financially recover from cyber attacks.
“Does Zurich plan to subpoena evidence from the FBI or the Department of Homeland Security to prove Russia was the perpetrator – – evidence that is probably confidential and requires some sort of secret clearance (I think not). Better yet, can a judge or jury in Illinois, in an insurance case, determine that Russia was the perpetrator of a cyber attack and thus trigger an exclusion in an insurance policy (doubtful)? But, Zurich is also a “big deal” global company that has many resources. It must have analyzed the pros and cons of raising the War and Terrorist exclusion, and exhausted all other options before making such a bold and unprecedented decision. Zurich probably has an ace up its sleeve or maybe Mondelez has overlooked a critical issue. We shall see . . .,” said Stines.