Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance (ft.com) 73

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.

[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.

This discussion has been archived. No new comments can be posted.

Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance

Comments Filter:
  • no subject (Score:5, Insightful)

    by fluffernutter ( 1411889 ) on Friday January 11, 2019 @09:04AM (#57943170)
    If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
    • If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Let's test out your theory!

      What's your address?

      • Oh, were things that simple.

        Admit that almost every platform has unknown zero-day cracks in existence today. If it's not a local three-letter agency, "state actors", various organized entities, clever coders, or others, most all platforms have cracks. Employing risk mitigation and asset protection schemes doesn't seem to be working.

        Look at any summary of 2018 cracks, and the list is long. Billions of records were spilled into someone's bit bucket, or ransomed.

        So one insures one's assets. The devil of the po

        • If said company wants to use technology with cracks then it is up to said company to stay ahead of such cracks. Yes it can be expensive and complicated, not my problem. Maybe companies should demand more secure software.
          • That's the (w)hole point. What are due diligence and best practices against an unknown zero-day? Companies DO demand more secure software, operating platforms, monitoring, intrusion detection, and more.

            They're up against an obscene number of known uncorrected problems as well as unknown, uncorrected problems. Stuff happens.

            The car analogy is you hit black ice, which you couldn't see, and you spin out of control and hit something. In that case, your insurance pays anyway. You did your best, and there are min

            • Re: (Score:2, Flamebait)

              If software companies can't prevent zero day exploits then they shouldn't be releasing internet facing software.
              • by bondsbw ( 888959 )

                Then what is the point of such insurance?

                You don't have car insurance if your car is 100% guaranteed never to get in an accident.

    • by Nidi62 ( 1525137 )

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Especially if you did it twice since, according to the alt source, Mondelez got hit by NotPetya several times. As they say in Texas: "Fool me once, shame on me. Fool me twice, not....not gonna fool me again." Or something. I hope Zurich wins so that companies actually start seeing a financial incentive towards basic system security.

      • by Anonymous Coward

        I hope Zurich wins, so that insured companies learn they can't just pay a pittance to an insurance company to cover them if they want to avoid paying for proper security. Instead they will learn it will cost a LOT of $$$$ to pay an insurance company to cover them, as they will have to pay a lot more for a policy that would cover that sort of attack.

        On the other hand, I hope that the insured company wins so insurance companies learn to REALLY raise their rates: That way the insured companies will find out it

    • by N1AK ( 864906 )
      I'm really not sure on the point of this post. Your home insurance will include requirements about how the property is secured, and a sign asking people to take your stuff would invalidate cover that only covered theft or damage as you'd struggle to argue it was either; all of which has sweet f.a. to do with cyber liability insurance.

      Clearly some more informed people are surprised that Mondelez payout was refused; which at least implies that it isn't simply clear breaches of the terms of the agreement, o
    • That isn't an Apt anthology.
      It is more like you didn't lock your windows on your second floor. The crook, just use a ladder and got in stole your stuff and your home insurance which was to help cover theft didn't cover it because your house wasn't a fortress.

      The problem with IT Security today, nearly every system needs military grade security on them. Which is often expensive, and hinders the overall usefulness of the IT Infrastructure.

      This is why these companies buy Cyber hack insurance, to help make sure

      • Companies need to demand secure software. If it was easy enough for a crook to climb a ladder and get in a second floor window, I would lock the second floor windows and I wouldn't ever install a window without a lock again.
        • by shess ( 31691 )

          Companies need to demand secure software. If it was easy enough for a crook to climb a ladder and get in a second floor window, I would lock the second floor windows and I wouldn't ever install a window without a lock again.

          To be fair, often enough it's more like they didn't even know they had second-floor windows, because they had never gone upstairs. Which is not to let them off the hook, the stairs were there, they could have checked.

          Of course, this being software, it's like you have a million sets of stairs, some go upstairs, some go downstairs, some are dimensional portals, but the majority of them end in a brick wall or sewer, so checking them is no fun at all.

          I dunno, comparing software security to real-life security i

        • >. If it was easy enough for a crook to climb a ladder and get in a second floor window,

          And if the crook just broke the window, picked the front door lock, or just came in though the wall instead? Physical security is after all almost entirely about making unauthorized entry inconvenient enough that other people are easier targets - not about actually making it terribly difficult to enter. Unpickable locks are almost nonexistent, most can be picked in well under a minute with only moderate skill. Digit

    • If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Nice strawman you have there.

      That's not what happened and you know it. The question will (should?) come down to whether reasonable duty of care [wikipedia.org] was exercised on the part of the plaintiff and whether the insurance contract was violated by failure of the plaintiff to take reasonably expected security measures and to implement them with reasonable competence. All modern systems have security holes so perfection is not a reasonable expectation.

      • "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.
        • "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

          Perfection is not a realistic goal. You get as close as you realistically can, and you spend a reasonable amount of time trying to get closer on the next pass. With that said, few people would argue that enough is being done...

          It would probably much more than double the software cost, but putting that aside, you'd need substantial hardware changes as well. And no doubt some of those would incur performance penalties, which in turn means needing more silicon to do the same job.

          I think there's a market for a

          • I'm not asking for perfection. The UI can still be messed up so it's not perfect.
            • I'm not asking for perfection. The UI can still be messed up so it's not perfect.

              I thought we were having a serious conversation about how networking is hard when it gets complex. To my mind we need a mesh internet in order to go forward, which comes with all kinds of new problems with routing. Multi-level web of trust, anyone? Good times.

        • "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

          WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

          • WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

            Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.

            • WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)

              Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.

              WHOOSH! Has./ degraded so much I must annotate when the intended sarcasm should have been apparent? Also, opensource freeware is released under a license (such as GPL or BSD

        • "All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.

          "Double the cost"? HAHAHAHAHAHA... Oh wait, you were serious? Even if it were possible to get perfect security with no holes (it isn't and never will be) it would cost FAR more than double to get even close. The cost of security isn't some linear function. And if you increase the cost too much then the computer system becomes too costly to justify in the first place.

          You can argue they didn't do enough to rise to a reasonable duty of care. It is completely ridiculous to argue that perfect security is

    • I'm not sure who has the better case here, but I can predict that insurance companies are going to start auditing companies they insure for cyber damage to see if they have some resiliency.

      No insurance company is going to want to cover a business that stores oil soaked rags and gasoline next to the furnace.

    • I was just wondering how you can file a claim regarding a hack which almost definitely was due to having piss poor security.

      I have worked with national banks who whine about being hacked when they pretty much just leave the door open.

      Rule 1) Cisco, Checkpoint, Pali Alto; etc:.. they do not sell security solutions. They sell overpriced door locks that keep the honest people honest.

      Rule 2) If your company actually got hacked or suffered losses due to a hack, it almost certainly is because you spend too much m
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      In this case, it's more like you locked your door, but someone exploited a weakness and gained access.

      If this was a straight hack, then I assume Zurich has no wiggle room.

      What seems to be described in TFS is that since people are attributing this to government sponsored hackers, the exclusion of 'warlike or hostile' activity applies.

      This would create two different classes for purposes of

    • If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.

      Simplifying the spread of NotPetya like this (incorrectly I may add) serves zero purpose. It doesn't help people understand what went wrong, it doesn't help people understand how it worked, and it doesn't help people at all with the topic at hand given the insurance company is not saying you left your door open, but rather than Kim Jong Un came and broke it down.

      Please keep stupid discussion to the comments in the Daily Mail. This is Slashdot, we like to believe the comments have a minimum standard.

  • Great summary (Score:5, Insightful)

    by bistromath007 ( 1253428 ) on Friday January 11, 2019 @09:29AM (#57943286)
    Definitely don't need to know Zurich's position on the matter, thanks for omitting it
    • by piojo ( 995934 )

      Definitely don't need to know Zurich's position on the matter, thanks for omitting it

      From the summary: Both companies declined to comment on the case. It appears their position on the matter will be disclosed at court.

  • Insurance company refusing to pay with some feeble excuse?

    Happens all the time, they speculate on being not sued because it would be too much hassle for the customer, or said customer cannot afford a lawyer, or whatever. A bunch of crooks as bad as banks. I have sometimes heard bankers called "banksters", but "insuranksters" would also fit.

  • Comment removed based on user account deletion
    • I don't know why any insurance company would offer hacking insurance.

      You can insure anything profitably provided you can charge adequately high premiums. To do that you need to have data about the likelihood of an incident and the financial burden that will result.

      It is right up there with "terrorism insurance" or giving life insurance to military servicemen in terms of likelihood that you'll get hit with a payout demand.

      Evidently you aren't an actuary. Have you actually looked at the risk tables for those activities? The insurance companies have. Yes military service is a dangerous job but you can be assured that fact is priced into the premiums they pay. Insurance companies aren't staffed by idiots and unlike you they actual

  • by Mortimer82 ( 746766 ) on Friday January 11, 2019 @09:42AM (#57943384)
    NotPetya largely used EternalBlue to exploit unpatched Windows computers. [wikipedia.org]

    If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
    I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I agree that it was their own negligence that lead to their exploitation, but unfortunately that's not the grounds on which Zurich is denying their claim. Zurich is denying the claim because they are categorizing the attack as cyberwarfare, rather than categorizing the defense as piss-poor as a paper shield in Hell.

      If they denied the claim based on negligence, that would indeed be the precedent we've all been waiting for, because it would inspire every other insurance company to say "why the hell weren't w

  • Here we are in the 21st century and companies are still clearly confused on how expensive using IT really is. They cheap out and then act surprised when there is a hack.
  • by Confused ( 34234 ) on Friday January 11, 2019 @10:09AM (#57943650) Homepage

    Many comments didn't seem to pick up why Zurich is refusing:

    Zurich asserts the attack was done by some foreign government in a hostile or warlike manner, which is excluded from coverage.
    The prime suspect in this case would be Russia.

    It's very common to exclude damages from war in insurance contracts. With foreign nations doing state sanctioned or organised hacking, this becomes very favourable for Zurich. They basically say, we cover only damage from script kiddies, not from foreign secret services waging a cyberwar against the USA.

    Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.

    • The recent news blaming a 20 yo in his parents' bedroom for the hack of sensitive data about German politicians which was originally blamed on 'state actors' has confused the situation a great deal.

      https://www.theguardian.com/wo... [theguardian.com]

      It also reminds us that at least some states aren't bothering to defend themselves properly.

    • Right. All Zurich has to do is prove it was a foreign government. This should be interesting to given the NSA's leak of EternalBlue and the CIA's misattribution tools. My guess is US "intelligence" cost Zurich $100M in this one instance (among many).

    • “Mondelez originally made claims for the cost of these damages on its property insurance policy, taken out with Zurich. The policy suggested it was covered for physical loss or damage to electronic data, software and physical damage caused by the malicious code or instruction.” link [itpro.co.uk]

      @Confused [slashdot.org]: “.. Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.”

      Yea, it's about your cyber-insura
  • When contracts come up for renewal, insurance company liability will be spelled out and priced in.

    Company seeking renewal: What's this clause about not covering cyber events?

    Insurance agent: On that's standard now. However, if you want coverage, we'll be glad to sell you a rider, for $MUCHMORETHANYOUPLANNEDFOR.

    Company seeking renewal, after shopping around and finding all financially-sound insurance companies are either not covering cyber events or charging a lot to cover them: Um.....

  • Hold the vendor accountable. Sue Oracle for your Solaris distribution being bugged and flawed. Sue Cisco for their iOS having security holes. Sue Microsoft and VMware. Why we donâ(TM)t because we sold out years back and installed Linux in our datacenters and now the only people held accountable are ourselves. Nicely done!
  • I've never liked Oreo cookies.
  • “.. the ability of the developers within a given enterprise to use and rely on open source at scale is dependent on its acceptance by that enterprise’s legal department .. The end result is the policies which countless developers operate under today which specify which licenses are approved and which are not.” RedMonk [redmonk.com]
  • “The debate over whether the war exclusion could have applied to NotPetya demonstrates that if insurers are going to continue including the war exclusion on cyber insurance policies, the wording should be reformed to make clear the circumstances required to trigger it. Absent that clarification, insurers and insurance buyers must default to the Law of Armed Conflict, including rulings that might be more than a century old, to discern between the categories of criminal activity and warlike actions. As

Keep up the good work! But please don't ask me to help.

Working...