Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance (ft.com) 73
Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government.
[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.
[...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.
no subject (Score:5, Insightful)
Re: (Score:2)
If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
Let's test out your theory!
What's your address?
Re: (Score:2)
Oh, were things that simple.
Admit that almost every platform has unknown zero-day cracks in existence today. If it's not a local three-letter agency, "state actors", various organized entities, clever coders, or others, most all platforms have cracks. Employing risk mitigation and asset protection schemes doesn't seem to be working.
Look at any summary of 2018 cracks, and the list is long. Billions of records were spilled into someone's bit bucket, or ransomed.
So one insures one's assets. The devil of the po
Re: (Score:3)
Re: (Score:3)
That's the (w)hole point. What are due diligence and best practices against an unknown zero-day? Companies DO demand more secure software, operating platforms, monitoring, intrusion detection, and more.
They're up against an obscene number of known uncorrected problems as well as unknown, uncorrected problems. Stuff happens.
The car analogy is you hit black ice, which you couldn't see, and you spin out of control and hit something. In that case, your insurance pays anyway. You did your best, and there are min
Re: (Score:2, Flamebait)
Re: (Score:2)
Re: (Score:2)
Then what is the point of such insurance?
You don't have car insurance if your car is 100% guaranteed never to get in an accident.
Re: (Score:2)
An abacus.
Or any of the above, on a computer not connected to a network. Can't exploit a flaw you can't access.
Re: (Score:1)
9800 Savage Rd. Apt 6272 Ft. George G. Meade MD 20755-6000
Edward Snowden didn't seem to have any trouble with that address.
Re: (Score:3)
If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
Especially if you did it twice since, according to the alt source, Mondelez got hit by NotPetya several times. As they say in Texas: "Fool me once, shame on me. Fool me twice, not....not gonna fool me again." Or something. I hope Zurich wins so that companies actually start seeing a financial incentive towards basic system security.
Re: (Score:1)
I hope Zurich wins, so that insured companies learn they can't just pay a pittance to an insurance company to cover them if they want to avoid paying for proper security. Instead they will learn it will cost a LOT of $$$$ to pay an insurance company to cover them, as they will have to pay a lot more for a policy that would cover that sort of attack.
On the other hand, I hope that the insured company wins so insurance companies learn to REALLY raise their rates: That way the insured companies will find out it
Re: (Score:2)
Clearly some more informed people are surprised that Mondelez payout was refused; which at least implies that it isn't simply clear breaches of the terms of the agreement, o
Re: (Score:3)
That isn't an Apt anthology.
It is more like you didn't lock your windows on your second floor. The crook, just use a ladder and got in stole your stuff and your home insurance which was to help cover theft didn't cover it because your house wasn't a fortress.
The problem with IT Security today, nearly every system needs military grade security on them. Which is often expensive, and hinders the overall usefulness of the IT Infrastructure.
This is why these companies buy Cyber hack insurance, to help make sure
Re: (Score:2)
Re: (Score:2)
Companies need to demand secure software. If it was easy enough for a crook to climb a ladder and get in a second floor window, I would lock the second floor windows and I wouldn't ever install a window without a lock again.
To be fair, often enough it's more like they didn't even know they had second-floor windows, because they had never gone upstairs. Which is not to let them off the hook, the stairs were there, they could have checked.
Of course, this being software, it's like you have a million sets of stairs, some go upstairs, some go downstairs, some are dimensional portals, but the majority of them end in a brick wall or sewer, so checking them is no fun at all.
I dunno, comparing software security to real-life security i
Re: (Score:2)
>. If it was easy enough for a crook to climb a ladder and get in a second floor window,
And if the crook just broke the window, picked the front door lock, or just came in though the wall instead? Physical security is after all almost entirely about making unauthorized entry inconvenient enough that other people are easier targets - not about actually making it terribly difficult to enter. Unpickable locks are almost nonexistent, most can be picked in well under a minute with only moderate skill. Digit
Re: (Score:2)
Duty of care (Score:3)
If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
Nice strawman you have there.
That's not what happened and you know it. The question will (should?) come down to whether reasonable duty of care [wikipedia.org] was exercised on the part of the plaintiff and whether the insurance contract was violated by failure of the plaintiff to take reasonably expected security measures and to implement them with reasonable competence. All modern systems have security holes so perfection is not a reasonable expectation.
Re: (Score:2)
Re: (Score:2)
"All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.
Perfection is not a realistic goal. You get as close as you realistically can, and you spend a reasonable amount of time trying to get closer on the next pass. With that said, few people would argue that enough is being done...
It would probably much more than double the software cost, but putting that aside, you'd need substantial hardware changes as well. And no doubt some of those would incur performance penalties, which in turn means needing more silicon to do the same job.
I think there's a market for a
Re: (Score:2)
Re: (Score:2)
I'm not asking for perfection. The UI can still be messed up so it's not perfect.
I thought we were having a serious conversation about how networking is hard when it gets complex. To my mind we need a mesh internet in order to go forward, which comes with all kinds of new problems with routing. Multi-level web of trust, anyone? Good times.
Re: (Score:2)
"All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.
WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)
No license cost != no cost to use (Score:2)
WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)
Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.
Re: (Score:2)
WONDERFUL! Two times zero is still zero (you're using open-source freeware, right?)
Accountant here. Just because the software doesn't have a license cost doesn't mean it is free (as in beer) to use. Still got to pay IT their salaries to install, support, train, and administer. I assure you they get justifiably cranky if you don't send them a paycheck regularly.
WHOOSH! Has./ degraded so much I must annotate when the intended sarcasm should have been apparent? Also, opensource freeware is released under a license (such as GPL or BSD
Perfect security = impossible (Score:2)
"All modern systems have security holes" and they shouldn't. It's that simple. If that doubles the cost of software then so be it.
"Double the cost"? HAHAHAHAHAHA... Oh wait, you were serious? Even if it were possible to get perfect security with no holes (it isn't and never will be) it would cost FAR more than double to get even close. The cost of security isn't some linear function. And if you increase the cost too much then the computer system becomes too costly to justify in the first place.
You can argue they didn't do enough to rise to a reasonable duty of care. It is completely ridiculous to argue that perfect security is
Re: (Score:2)
I'm not sure who has the better case here, but I can predict that insurance companies are going to start auditing companies they insure for cyber damage to see if they have some resiliency.
No insurance company is going to want to cover a business that stores oil soaked rags and gasoline next to the furnace.
You too? (Score:2)
I have worked with national banks who whine about being hacked when they pretty much just leave the door open.
Rule 1) Cisco, Checkpoint, Pali Alto; etc:.. they do not sell security solutions. They sell overpriced door locks that keep the honest people honest.
Rule 2) If your company actually got hacked or suffered losses due to a hack, it almost certainly is because you spend too much m
Re: (Score:2, Interesting)
In this case, it's more like you locked your door, but someone exploited a weakness and gained access.
If this was a straight hack, then I assume Zurich has no wiggle room.
What seems to be described in TFS is that since people are attributing this to government sponsored hackers, the exclusion of 'warlike or hostile' activity applies.
This would create two different classes for purposes of
Re: (Score:2)
If I left my front door open with a sign that said 'come take my stuff' I expect the insurance company would fight me too.
Simplifying the spread of NotPetya like this (incorrectly I may add) serves zero purpose. It doesn't help people understand what went wrong, it doesn't help people understand how it worked, and it doesn't help people at all with the topic at hand given the insurance company is not saying you left your door open, but rather than Kim Jong Un came and broke it down.
Please keep stupid discussion to the comments in the Daily Mail. This is Slashdot, we like to believe the comments have a minimum standard.
Great summary (Score:5, Insightful)
Re: (Score:3)
Definitely don't need to know Zurich's position on the matter, thanks for omitting it
From the summary: Both companies declined to comment on the case. It appears their position on the matter will be disclosed at court.
What's new in insurance companies NOT paying? (Score:1)
Insurance company refusing to pay with some feeble excuse?
Happens all the time, they speculate on being not sued because it would be too much hassle for the customer, or said customer cannot afford a lawyer, or whatever. A bunch of crooks as bad as banks. I have sometimes heard bankers called "banksters", but "insuranksters" would also fit.
Re: (Score:2)
Underwriting (Score:2)
I don't know why any insurance company would offer hacking insurance.
You can insure anything profitably provided you can charge adequately high premiums. To do that you need to have data about the likelihood of an incident and the financial burden that will result.
It is right up there with "terrorism insurance" or giving life insurance to military servicemen in terms of likelihood that you'll get hit with a payout demand.
Evidently you aren't an actuary. Have you actually looked at the risk tables for those activities? The insurance companies have. Yes military service is a dangerous job but you can be assured that fact is priced into the premiums they pay. Insurance companies aren't staffed by idiots and unlike you they actual
Re: (Score:2)
Like antivirus, most of the time it's a checkbox required for some kind of compliance. My last company has insurance like this because it was the only way we could get contracts with large companies. No insurance = no sale.
Re: (Score:2)
"Anytime a company has hack insurance, that tells me their management doesn't trust the I.T. staff ..."
Sounds right in this case:
https://www.itpro.co.uk/securi... [itpro.co.uk]
"Instead of a war exclusion clause, Zurich should have invoked a gross negligence clause, which is much easier to prove in this case than attribution to a nation-state, particularly considering Mondelez was hit twice by the same ransomware," he said. The "fool me once" proverb is fully applicable here: while many companies fall victims to ransomwar
Client failed to keep systems patched (Score:5, Interesting)
If Mondelez had simply kept reasonably upto date with Windows Updates, the damage would have been highly limited, or possibly non-existent. The fact that they claimed damages of $100M means that countless computers were not upto allowing the malware to infect them over their network.
I hope Zurich wins, because in the same way that insurance companies are not expected to pay out for accidents as a result of a clearly unroadworthy automobile, insurance companies should not be expected to pay out for damages due to grossly negligent IT practices.
Re: (Score:2, Interesting)
I agree that it was their own negligence that lead to their exploitation, but unfortunately that's not the grounds on which Zurich is denying their claim. Zurich is denying the claim because they are categorizing the attack as cyberwarfare, rather than categorizing the defense as piss-poor as a paper shield in Hell.
If they denied the claim based on negligence, that would indeed be the precedent we've all been waiting for, because it would inspire every other insurance company to say "why the hell weren't w
Re: Client failed to keep systems patched (Score:2)
Re: (Score:2)
+1 Insightful
Cheap out (Score:2)
The 100M$ question is: Was it Cyberwar? (Score:5, Informative)
Many comments didn't seem to pick up why Zurich is refusing:
Zurich asserts the attack was done by some foreign government in a hostile or warlike manner, which is excluded from coverage.
The prime suspect in this case would be Russia.
It's very common to exclude damages from war in insurance contracts. With foreign nations doing state sanctioned or organised hacking, this becomes very favourable for Zurich. They basically say, we cover only damage from script kiddies, not from foreign secret services waging a cyberwar against the USA.
Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.
Proving it was or wasn't is HARD (Score:2)
The recent news blaming a 20 yo in his parents' bedroom for the hack of sensitive data about German politicians which was originally blamed on 'state actors' has confused the situation a great deal.
https://www.theguardian.com/wo... [theguardian.com]
It also reminds us that at least some states aren't bothering to defend themselves properly.
Re: (Score:2)
Right. All Zurich has to do is prove it was a foreign government. This should be interesting to given the NSA's leak of EternalBlue and the CIA's misattribution tools. My guess is US "intelligence" cost Zurich $100M in this one instance (among many).
Re: (Score:2)
@Confused [slashdot.org]: “.. Whether Mondelez' are incapable buffoons or they left their doors open with a writte invitiation to plunder them isn't really what this is all about.”
Yea, it's about your cyber-insura
Uncertainty will go away soon (Score:1)
When contracts come up for renewal, insurance company liability will be spelled out and priced in.
Company seeking renewal: What's this clause about not covering cyber events?
Insurance agent: On that's standard now. However, if you want coverage, we'll be glad to sell you a rider, for $MUCHMORETHANYOUPLANNEDFOR.
Company seeking renewal, after shopping around and finding all financially-sound insurance companies are either not covering cyber events or charging a lot to cover them: Um.....
Vendor (Score:1)
Never cared for them (Score:2)
RedMonk: Tragedy of the Commons Clause (Score:2)
NotPetya was not Cyber “War” (Score:2)