Should insurers pay damages caused by ransomware?

The company argues that its insurance does not cover damage caused “by Acts of war”

According to network security and ethical hacking specialists from the International Institute of Cyber Security, the American company Mondelez, dedicated to food, beverages and snacks, has decided to sue its insurance company by an estimated figure of $100M USD. According to the reports, the company claims that its insurer has refused to cover the damage caused by an infection of NotPetya ransomware, arguing that this infection is part of a “cyber war campaign”, scenario that is not covered by the insurance policy.

Zurich American Insurance Company has refused to pay a policy which explicitly mentions that its insurance “covers all risks of loss or physical, data, programs or any software damages, including damage caused in the event of malicious software injection in the Mondelez infrastructure.”

This claim originated during the outbreak of the ransomware NotPetya in 2017. According to experts in network security, it is a Windows-based malware capable of encrypting the file system table of a hard drive, preventing the system from starting. The company claims that due to this attack it lost 1 700 servers and 24 000 portable computer equipment.

The United Kingdom government, supported by evidence gathered by multiple network security experts, said the Russian government was behind the NotPetya attack, which also affected Ukraine’s energy infrastructure, but the Russian authorities have repeatedly denied such accusations.

Multiple private companies were also affected by NotPetya. Maersk shipping company, for example, claims to have lost about $300M USD due to these attacks; On the other hand, FedEx reported losses for a similar amount. It is estimated that insurance companies should spend about $80 billion USD to cover their policies.

After analyzing the Mondelez sue; Zurich insurance company began investigating the case with the intention of reducing the economic claims of the American company. Although Zurich offered Mondelez an initial payment of $10M USD, the insurer has denied what is claimed in the lawsuit, alleging that there is a “hostile or warlike action” or “government intervention” exclusion clause.

According to reports of experts in network security, the insurer argues that the attack was provoked by the Russian government as an act of war, a scenario that does not cover the Mondelez’s insurance policy.

This is an unprecedented case, although Mondelez argues that the insurer must demonstrate that, indeed, the Russian government is behind these attacks, which is a difficult task.

It is believed that, if the case was won, the Zurich insurer would establish a precedent in which this class of companies began to revise their policies, generating a new offer in protection against cyber threats.