Following the news that Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack, please see below comments from Igor Baikalov, chief scientist at Securonix.
Igor Baikalov, Chief Scientist at Securonix:
“Instead of a war exclusion clause, Zurich should have invoked a gross negligence clause, which is much easier to prove in this case than an attribution to a nation-state, particularly considering Mondelez was hit twice by the same ransomware. The “fool me once” proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn’t happen again.
Many victims of data breaches or ransomware attacks cry “nation-state!” as the first response to the incident, even though very few are able to prove it, and lax cybersecurity programs is to blame in most cases. Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich’s own policy?
Bringing your computer systems up-to-date with security patches, monitoring your environment for signs of infection, educating your users on cyber hygiene, and vaccinating computers against NotPetya – these are some of the actions that could have significantly reduced impact of the secondary infection.”