Governments attributing cyberattacks to specific countries usually ends in nothing more than a line in a news story. But sometimes these kinds of claims can have unforeseen consequences.
The $100 Million insurance coverage lawsuit between Mondelez, the owner of brands such as Oreos and Nabisco, and Zurich Insurance group is apparently being impacted by statements made from the U.S. Government.
Back in 2017, NotPetya attacks decimated Mondelez operations. So, Mondelez filed a $100 million claim on its insurance policy with Zurich Insurance Group. But Zurich denied the claim, using an exclusion in the policy for “hostile or warlike action in time of peace or war.” The lawsuit is the result of that denial.
What makes this more complicated is that, in order to win the lawsuit, Zurich needs to prove the attack was warlike in nature. But when the U.S. White House makes an official statement calling the attack, “part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict”, statements like these (there have been a number made by different Western governments) give Zurich the ammunition they need as the basis for their case.
Even with statements like this, there is no proof given by any governments to substantiate the claims. So, the outcome of the lawsuit is unclear.
But, what is clear, is that governments should be careful when making broad statements – they clearly have ramifications that impact businesses, employees, and families.
What’s also clear is that organizations cannot simply rely on the fact that they have cyber insurance in lieu of putting a proper security strategy in place. The safety net of a policy rests on the attack specifics – as is indicated by this story.
Organizations need a proactive, layered security strategy that focuses on the attack surface, which includes solutions like endpoint protection, web, email, and DNS scanning, Security Awareness Training, privileged account management, and multi-factor authentication.