Techlawx posted news about an astounding NotPetya-related lawsuit, (link at the end).
We all remember June 27, 2017, when a major global cyber attack harmed thousands of companies. The malicious code was dubbed NotPetya, a variation of ransomware called Petya that was first discovered in 2016.
Among the companies infected was Mondelez International, who produces and markets snack food and beverage products for consumers in approximately 165 countries. They own brands like Nabisco, Oreo, belVita biscuits, Cadbury chocolate, Toblerone chocolate and trident gum.
NotPetya caused damage to its hardware and operational software systems, property, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000 (Wow!!).
Now, Zurich American Insurance to the Rescue or Not!?
Zurich American Insurance Company sold an insurance policy to Mondelez that provided coverage for "all risks of physical loss or damage" to property, including "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."
The policy also provided coverage for loss or expenses incurred by Mondelez during the period of business interruption directly resulting from the failure of Mondelez's electronic data processing equipment or media.
The Zurich policy was effective during the cyber attack; therefore, it would appear that Zurich was on the hook to indemnify Mondelez for the NotPetya attack.
Not so fast.
After the cyber attack, Mondelez made a claim to Zurich and worked with Zurich personnel to adjust the loss. Well, after a lot of "to and fro" Zurich denied coverage based on an exclusion in the policy for hostile or warlike action in time of peace or war.
Essentially, Zurich's position is that NotPetya was a "hostile or warlike action" by a "government or sovereign power." In fact, NotPetya is widely viewed as a state-sponsored Russian cyber attack masquerading as ransomware that was designed to target Ukraine but inadvertently spread globally. Russia denies these allegations.
Mondelez did what any "big-deal" company would do, it sued Zurich!
Zurich Has to Prove Russia Did It
As the carrier, Zurich has the burden to prove that the exclusion applies. In other words, Zurich has to prove that NotPetya was a hostile or warlike act by a government or sovereign power - specifically Russia. Attribution for cyber attacks has improved recently, but Russia has denied any allegation that it instigated NotPetya.
Again, the full article is at Techlawx and is fascinating reading!
