View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 11, 2019updated 08 Jul 2022 9:22am

UK’s Russia Attribution for NotPetya Upends $100 Million Lawsuit

Zurich cites "war exclusion" for not paying Mondelez damages

By CBR Staff Writer

Nearly a year after the British government formally laid the blame for 2017’s widespread NotPetya malware infections at Moscow’s door, it may not have anticipated one consequence: a twist in a $100 million lawsuit between Mondelez, one of the largest companies damaged by the malware and Zurich, its insurer.

This week Zurich Insurance flatly rejected a $100 million claim by Mondelez: the confectionary giant had sought damages under a provision of its insurance policy that covers “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction”.

(The company suffered permanent damage to 1,700 of its servers and 24,000 laptops, it said in a court filing on Thursday in Illinois, as the FT reports).

See also: Global Shipping Giant COSCO Shut Down by Ransomware

Zurich’s justification? The incident fell under policy exclusion covering “hostile or warlike action in time of peace or war.” (The initial UK statement from Foreign Office Minister Lord Ahmad described it as an “attack [that] masqueraded as a criminal enterprise but its purpose was principally to disrupt.”

The case is being closely watched: numerous insurers are grappling with whether to exclude state-sponsored or terrorist cyberattacks. With state-level hacking tools widely available and attribution increasingly difficult to make, owing to state-sponsored actors making use of third parties and other countries, it’s a clear challenge.

Zurich can refer to a number of official statements by other Western governments describing NotPetya as part of a Russian hostile action against Ukraine. One likely hurdle: no proof that would stand up in a courtroom has been offered to back up the accusation. (As is standard in intelligence-led attributions).

The lawsuit raises the question of whether the claims from official sources should be admissible as evidence, even when they lack substantiation. With nation state-level offensive hacking tools out in the wild and claims being bandied about widely without attribution, cyber insurance is about to get even more complicated.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Read this: “You May Say it’s a Dreamer”: Microsoft Calls for “Digital Peace”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.