The debate around state-backed cyber attacks has progressed due to the Russia-Ukraine conflict, highlighting the need for ‘proper’ cyber cover

Food and drink giant Mondelez International and insurer Zurich last week (2 November 2022) settled a multiyear legal battle over a NotPetya cyber claim worth $100m (£87m).

Mondelez, which owns brands including Cadbury, Oreo and Toblerone, submitted a claim with Zurich in 2017 after NotPetya malware infected more than 1,700 servers and 24,000 laptops at the company.

However, Zurich claimed that this cyber attack fell under a war exclusion clause, therefore it refused to pay out.

A source told Insurance Times that they believed this dispute between Mondelez and Zurich had come about because Mondelez’s claim had been made via a property policy, rather than a cyber policy.

NotPetya is a form of encrypting malware generally believed to have been created by the USA’s National Security Agency – however, major NotPetya attacks carried out in June 2017 were blamed on the Russian government by security researchers, several governments and Google.

The settlement between Mondelez and Zurich was resolved mutually for an undisclosed sum.

War exclusions

Jennifer Mulvihill, business development head of cyber insurance and legal at cyber defence platform BlueVoyant, said: “The settlement underscores many questions both the public and private sectors have been grappling with for years – even before NotPetya brought the severity and frequency of such cyber attacks to the forefront.

“Specifically within the private sector, both insured organisations and carriers are increasingly trying to determine attribution, which is at the core of this litigation.

“The question then arises – is it the private sector’s duty, responsibility or task to establish attribution? Should the private sector be involved or is this the responsibility of law enforcement?”

In August 2022, Lloyd’s of London revealed that it would require its underwriters to include exclusion clauses for state-backed cyber attacks within standalone cyber policies from 31 March 2023.

As part of this guidance, Lloyd’s said that exclusion clauses in cyber insurance policies must set out a robust basis by which the parties agree on how any state-backed cyber attacks will be attributed to one or more states and ensure that all key terms are clearly defined.

A Lloyd’s spokesperson added: “It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state-backed cyber attacks.”

Mulvihill continued: “One could argue that – for [the] purposes of determining coverage – an insurer should be involved in any attribution investigation, but as markets react to Lloyd’s announcement of exclusionary language, this seems like a daunting task better left to law enforcement.”

An act of war?

Some industry commentators have questioned Zurich’s initial position that the attack on Mondelez was an act of war, expressing confusion that this classification would apply to a snack foods manufacturer operating in a country not currently at war.

Richard Hodson, cyber expert and director at UKGlobal Broking Group, said: “War exclusions should apply to acts of war, not to somebody using [cyber weapons developed for war] to try and hack someone for their own financial gain.”

While NotPetya is a cyber weapon that is generally understood to have been created by a nation state to wage cyber warfare, its use in the Mondelez attack does not mean that the attack was an act of war itself.

“If someone uses a sword to slash a painting, that doesn’t mean that’s an act of war just because swords were developed as a weapon of war,” Hodson added.

He explained that there had been a proliferation in the use of state-developed cyber weapons to carry out attacks by non-state actors.

“Any conflict always speeds up the development of new technologies – from the development of tanks in the First World War to jets at the end of World War Two,” he said. “What we’re seeing from the Russia-Ukraine conflict is a huge amount of cyber technology weaponised that will end up in the wrong hands.

“As a result, you will possibly have state developed tools that end up in the wrong hands that could be used for attacks on private enterprises and individuals – basically, these weapons are now in the hands of people who can use them however they want.”

Despite his belief that the Mondelez attack did not satisfy the characteristics of a claim that would fall under war exclusions, Hodson told Insurance Times that if Mondelez “had a proper cyber policy, none of these arguments would have ever happened”.

He added: “The [cyber] insurance market is moving towards greater clarity about where it wants to be, which is a good thing in general.

“But the message really is that if you want cyber cover, go out and buy a proper cyber policy.”