The company that makes Oreos has filed a really big case against its insurer, Zurich, due to a refusal to cover losses related to a cyberattack.
The insurer claims that the attack falls under a policy exclusion for an act of war because it has been attributed to Russia. And the case raises some valid, and untested, issues for companies offering and buying cyber-insurance policies.
When Hacking Means War
One of the bigger issues to be answered, potentially, by this litigation involves just what sort of hacks or cyber-attacks would actually qualify as an act of war. While clearly the classic Nigerian prince phishing or social engineering scam isn't going to be considered as such when carried out by individuals or organized hackers, but when the attacks are organized by government entities, there seems to be less grey area. Another corollary issue involves who gets to make the determination about where the hack came from?
In the Oreo case, the company was hit hard by the NotPetya malware and suffered losses in excess of $100 million, due to damages and being unable to operate or fulfill orders. Notably, one big problem for the cookie company is that the NotPetya malware is suspected to be the product of state-sponsored hacking in Russia.
What's in Your Cyber-Insurance Policy?
If you have recently obtained cyber-insurance to cover your firm or company, it may be worth reviewing to see if you have a similar exclusion, and if so, you may want to shop around before you renew. After all, with all that's going on in the world today, and the fact that hackers are even targeting law firms, being properly insured for a hack of war seems prudent, albeit potentially a bit overly risk averse.