Ritz cracker giant settles bust-up with insurer over $100m+ NotPetya cleanup Mondelez International has settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant's $100-million-plus cleanup bill following the 2017 NotPetya outbreak. The years-long legal battle over the claim has been closely watched by cyber-insurance and legal …
cyberinsurance policies have been ridiculously underpriced because all of the companies wanted to get into the market
and now that those insurance companies realize they could be liable to pay real money in case of big cyber incidents they want to outsource their risk to the tax payer?
What is their idea, if it worked out for banks to privatize their profits and get the public to pay in a crisis why would it not work for insurance companies?
I'm just surprised the Insurance Biz didn't ask for governemnt bailouts like the energy companies that sold low cost contracts and then got cold footed by price rises, went under and now we all suffer, well except for the surviving companies making billions in profits, funny in a very similar way to insurance companies.
energy companies that sold low cost contracts and then got cold footed by price rises
It wasn't actually the wholesale price increases (coupled to the price cap and fixed price contracts) that caught these retailers out - it was their failure to hedge, i.e. set up similar long-term fixed price contracts with their suppliers. Had they done so, then they'd not have been between rock and hard place, being able to draw on their fixed price (hedged) supply deals which if they'd got it right would have lasted about the same time as the fixed price deal they sold to end users.
Or put another way, they gambled that energy wholesale prices would remain stable, failed to lay off the bets, and got caught short when they found out their guesses were wrong.
An interesting article about this from one of the founders of Octopus Energy.
This post has been deleted by its author
Because climate change is a fantasy religion.
You can't insure against an Orc attack can you?
Insurance companies pushed hard for building code changes and saftety and evacuation planning which has drastically resduced property damagees from hurricanes since Andrew.
This post has been deleted by its author
> Insurance is a trade off for risk. It's cheaper to be insured than prepared.
This isn't true because you're missing the converse role of insurance. They're not just there to let you trade off risk. The price it pays to be insured is set by the level of preparedness your insurer demands of you. There are innumerable parts of modern industry and commerce where the rules aren't set out in statute or regulation, but by the diktat of the insurance market. The same process that all-but guarantees a daft 18 year old can't buy a five litre sporty number for their daily runaround says firms can't just buy bargain-basement cyber cover and call it a day.
Companies are going to have to figure out how to systematically account for and manage the risk of cyber attacks if they want the insurance market to play ball. That's a *good thing*.
Insurance is a trade off for risk. It's cheaper to be insured than prepared
Not in pet insurance it isn't..
(ObBackground: We have a ridiculous number of pets [3 dogs, 6 cats] - all of whom are, putting it charitably, not defined breeds[1]. Were there pet insurance providers prepared to cover pets of unknown ancestry[2], it would cost us upward of £200 per month for insurance. So, instead, we put that £200 into an interest-bearing building society account so that, if one of the pets needs major surgery/treatment that we can't afford out of the current account, the money instead comes out of the savings account. With, of course, the benefit that the savings account isn't going to find some clause buried 13 paragraphs into the 5-point text to deny the claim... It also means that the vets are a little more judicious about the treatment that they offer given that it's the customer in front of them paying rather than a faceless insurance co.. Of course, the end-user ends up paying anyway as their premiums go up for daring to claim...
So, odd that it might be, it's cheaper for us to be prepared rather than insured.)
[1] Apart from the dachshund - although there is some doubt whether she's a full dachsund. And, being a Spanish rescue dog with leishmanisis, it's very doubtfull whether we could get cover for her anyway.
[2] One or two do, but they generally charge higher prices since the pet type won't appear on their actuarial tables and so present an unknown risk. That's despite the known fact that mixed-breed cats and dogs are, almost always, much healthier than breeds that have been routinely been inbred in order to 'fix' desired attributes.
Thank you, NSA, for your contribution to criminal organizations everywhere.
Putin must be laughing his ass off.
Meanwhile, instead of suing Zurich, Mondelez should sue Washington DC.
And, while I'm at it, there should be a law stating that a company that holds more than one brand should have its name on the packaging of every product it sells.
That way, people will know who it is they're buying from.
You haven't actually looked at a Ritz cracker box in the last month, have you? The box in my pantry says Mondelez Global on the label.
Also, why would I care which company produces the foodstuffs that I enjoy? If I like it, I'm going to buy it, even if its made by Hitler's Bakery GmbH.
Meanwhile, instead of suing Zurich, Mondelez should sue Washington DC.
Could you do that though, or would sovereign immunity apply? There's a couple of related things happening at the moment. Remington's being sued because they manufactured a firearm that was sold to a dealer, who sold it to a nutjob, who used it in a spree killing. I guess if Zurich had lost, they could have sued the NSA for supply the 'weapon' on a similar basis. There's also a demand by a prof writing in the Atlantic that all the experts who got stuff wrong around the Covid fiasco should be granted total immunity.
I'm also curious if Zurich disclosed how they knew it was a state actor that hacked Mondelez, rather than some bunch of skiddies and/or organised crime. Or perhaps that's why there was pressure to settle the case, rather than have that information disclosed in court filings.
Given the circumstances surrounding the leak of the NSA tools, suing the NSA worker who broke all best security practices would be the best they could manage.
1) Took the tools home in violation of policy/law.
2) Dumped them on his home PC that was running a cracked version of Windows, cracked version of Office, and cracked version of Kapersky, with updates likely turned off to avoid any of the cracked software suddenly being "fixed".
"The grub goliath said after NotPetya got into its network, it was left unable to use 1,700 of its servers and 24,000 laptops."
I get that they would have been unable to use the hardware immediately after the attack, but once it's all been scrubbed clean, surely it's still usable and redeployable? Why would they add the cost/value of the hardware itself, as opposed to the cost of the clean up?
If someone with greater knowledge of IT security can illuminate me on the vagaries of a situation like this, it would be appreciated, but that smells like an excuse to replace an ageing hardware fleet, no?
"It was just bad reporting. They said they suffered losses due to being unable to use/access the machines - the trivial part being the cost of fixing the laptops and so-on, the bigger part being the loss of business."
I get that, but the quote goes on to say: "As a result of the damage caused both to its hardware and operational software systems" (my emphasis)
It's that specificity - damage is damage. Just because a particularly virulent form of malware ripped through your systems doesn't mean you should get to say it is "damaged", when all it takes is a complete drive wipe and re-install from an image to get the hardware working again.
Which is why I asked in the original title - NotPetya was a hardware killer? And why I suspect some BOFH somewhere was like, "da-ding! hardware refresh time!"
No - we're reporting exactly what Mondelez claimed. It said damage was done to its equipment and software. Damage in this case is defined as "physical loss or damage to electronic data, programs, or software, including physical loss or damage."
I can add this point to the piece but it seemed obvious to us and others.
C.
It could be scrubbed clean, but it's not unusual to take the disks out and just shred them and install new drives.
If you erase a drive and reinstall everything, you might be ok.
If you destroy the disk and replace it, you are probably ok.
If you replace the entire laptop, you are definitely ok.
It all depends on how many hands on deck you have and whether or not you have sufficiently identified the source of the infection and so on.
Malware and so on can live outside of your HDD/SSD. If you have slightly dated kit that has certain functionality on it that can't be patched...*cough* Intel Management Engine *cough*...then to combat the spread, you need to ditch the kit. Otherwise, each device you bring back online could be quickly reinfected and you'll be whacking moles.
There is also the matter of ancient print servers, ancient servers with no longer supported ILO or DRAC cards etc etc etc that can have ISO files mounted remotely (if compromised)...there's a ton of shit that could end up scrapped following a cyberattack. Especially if the loss of business is higher than the cost of the kit...which it usually is.
There is also the matter of ancient print servers, ancient servers with no longer supported ILO or DRAC cards etc etc etc that can have ISO files mounted remotely (if compromised)...there's a ton of shit that could end up scrapped following a cyberattack.
I would argue that those are not costs of the cyber attack, but costs of maintaining your equipment ... properly.
So, for example, if you do have old hardware with a buggy ILO that can be used in that manner - replacing it is not the cost of a cyber attack, it's the cost you should have invested when it became known that it was a security risk. Obviously there may be situation where it's cheaper to put in mitigations (such as moving such devices to a suitably protected network) - but you could also do that after the horse has bolted as well.
We've seen the same sort of twisted finance logic before, when what's his name (UK hacker) was accused by the US government of causing huge amounts of "damage" - where the costs clearly included "doing the system admin job properly" such as changing default passwords etc.
It's not always possible to swap out hardware after the 3 years of updates the manufacturer provides.
Also, spending hundreds of thousands possibly millions to just upgrade servers because ILO etc won't fly with a lot of bean counters.
However, spending on a support package that ensures future upgrades to the software is. Yet nobody offers it.
Where ancient stuff is concerned. Sure you can do all of those things...but how do you access a print server that has been isolated?
In some cases, print servers are built in to the printer itself and the printer in question might be a piece of kit that was several hundreds of pounds worth of investment that is still perfectly fine for its job and spares are still widely available for hardware maintenance. It doesn't seem like a wise move to bin a piece of expensive kit just because the software no longer receives updates.
Always remember that insurance companies are in the business of taking money, not paying out money. They will do whatever it takes to minimize or even eliminate the paying out part. And when must use them, your rates will increase, even if you were not at fault and there was nothing you could have done to prevent the incident.
What we really need is an IT insurance policy that pays out in pints following a successful recovery.
I'd pay for that. £1 a month (£1.50 if you wish to upgrade your package to include spirits) to guarantee a decent piss up when a recovery ends.
In fact..better than that. We need a social IT worker beer fund. It could be a not for profit that donates beer to knackered and underappreciated IT people.
We could offer a service where a tactical unit of elite IT guys arrives by helicopter and comes smashing through the ceiling with a few cases of beer, some fried and a plan. That way, when the insurers finally respond after 3 weeks, everything will be sorted.
True, but the balance is if they never pay out, peeps will stop insuring, because they aren't actually covered in a meaningful way.
Then they lose the turnover and business.
So they have to pay out maybe 80% of their premiums. Then, if the payout is too low a percentage, the premiums are too high.
> if a cyberattack can reasonably be attributed to a nation state and therefore be excluded
The reason why "acts of war" are excluded from every insurance policy I have had or seen, is that the damage caused in a war tends to be widespread (affecting lots of potential claimants) and devastating. Either one of those makes any potential claim ruinous for the insurer.
In this case, I can see that if every victim of Notpetya claimed such enormous costs then every insurer would be out of business for everyone, no matter what their cover was for.
Was this company specifically targeted? If so, then that doesn't sound much like war.
Was their claim of a comparable amount to other attacked company's? If not then it sounds like they have some intrinsic issues that need fixing.
No matter what the details of this single claim, it sounds like the cyber insurance sector has some serious thinking to do about what policies it writes and what obligations it places on its policy holders.
This post has been deleted by its author
But the act of war clause is meant to be so a Nagasaki home owner can't claim for property damage.
If every attack can be blamed on a nation state, then are my losses on Huawei shares an act of war by the USA so I can just refuse to pay a margin call?
I've worked in insurance for many years. With stuff like Life and Motor, there are massive databases giving you a good idea of the cost of risk. With stuff like this, the insurer does not have a clue. They do not have the resources to assess how vulnerable the client company is. Their best hope is to guess and then reinsure the fuck out of it.
This is not a mature insurance market. At some point in the future, there may emerge a standard way of assessing an organisation's security. And that might actually get the execs interested in listening to the techs who know how to secure things, rather than the "fingers crossed" approach that many companies have. In life insurance terms, if you lied to the insurer about the fact that you get through 40 Capstan Full Strength and a litre of vodka in a typical day, don't expect them to pay out on your life insurance. Not that you'll know.
They do not have the resources to assess how vulnerable the client company is
Hence why we so often find ourselves on the receiving end of a load of "tick box" questionnaires every time the auditors, insurers, parent company/uncle Tom Cobley come to visit :-(
Hands up, I assume I'm not the only one to be told "we have to do X" - after the fact, when some non-technical manager has agreed to do the X that the auditors/insurers/parent company/uncle Tom Cobley have asked for "because we expect to see it".
Never any hint of "is there a reason we don't do X ?" In one case, yes, it's because our system simply doesn't have the facility to do it ! IIRC "X" was locking accounts after failed logins, which the SCO OpenServer (yes, long time ago) didn't support. So as an alternative, we were instructed that the terminal had to be locked. Those who know how SCO OpenServer handled Telnet (see it was a long time ago) sessions on virtual serial lines will quickly predict the problems we soon experienced which persuaded manglement that perhaps we did have a point when we said it was a really bad idea. Which we could have explained to them if they'd asked before agreeing to do it.
We were attacked by private Russian hackers! = Insurance covered
We were attacked by state-sponsored Russian hackers! = Not covered
It might be possible to compare code used and prove the re-use of code snippets. But that does not prove the hackers were 'state-sponsored'.
Seriously, just because the soil they sat on is in Russia does not mean they are state sponsored. And they are miscreants - there is no honor in thieves! Even if the code originated with state sponsored activities, it is not possible to prove the propagating threat actors did not steal / borrow / re-purpose it.
Short of an official government declared statement of "War", I find it incredibly difficult to prove a cyber attack was caused by a nation state.
"Short of an official government declared statement of "War", I find it incredibly difficult to prove a cyber attack was caused by a nation state."
I do wonder if there was any US Govt pressure brought to bear on the parties to settle out of court. It could be a tad interesting if a US judge found in favour of the insurers and declared the "cyber attack" an act of war.
...need to get actual experts in to draw up the minimum requirements necessary to obtain cover. The few times I've dealt with cyber security insurance companies, their list of requirements has been both basic and stupid.
Either the requirements are insanely low or insanely stupid.
I've had insurers insist on me enabling 2FA on *everything* which isn't particularly bad advice, but they kept insisting that I enable it on 3 switches in the network that weren't even managed switches. It took around 5 or 6 emails being bounced around about 8 people at the insurer before someone understood that you can't password protect an un-managed switch.
One of them came back and told me that I'd need to make sure someone was managing the switch before they would cover us. I nearly choked on my tea when I read that.
There is a massive gaping chasm of knowledge in the cybersecurity insurance space. Every list of requirements I've seen read like a "top 10 ways to secure your Windows installation" tutorial off YouTube.
I'm all for the premiums going up, but only if the increased premiums are used to hire actual cybersecurity experts.
Or literally anyone that understands terminology such as:
Airgapped
Logically Separated
Reverse Proxy
WAF
Dumb / Un-managed switch
Also...
It would help if insurers actually understood 2FA. At one of my clients, I have an entirely airgapped network. There is no internet access, no wifi, it is airgapped because it doesn't need to be on the internet, it rarely needs to change and is responsible for running critical hardware. Which makes 2FA (as the insurers understand it) basically impossible. The only way you can compromise the system is if you managed to physically break into the building and get through 4, double locked, steel doors. That is 8 locks and a camera on each door.
Another example of a sticking point I got stuck on was with a different insurer that had a bee in its bonnet over wifi security. The WAP in question didn't support WPA3...and was setup to use WPA2...but here is the rub...the WAP is operating in a radio lab (and is switched off most of the time) and the radio lab is inside a massive faraday cage. Through which, basically zero radio signals can travel. You will not get phone signal inside the cage and you for sure cannot pick up external wifi from within the cage...and yet they wouldn't let it go. This was also at a time when WPA3 was even less common than it is now...about 18 months / 2 years ago.
The final nail in the insurance coffin is that I've had several of them recommending McAfee antivirus, one of them recommended Norton. Nothing screams "thick bastard" to me louder than recommending those two products.
The key thing here is that insurers seem adamant that you have insane measures in place to try and prevent attacks (which anyone will tell you is basically impossible in the long run) and not one has ever asked me about backups. The one thing that would probably reduce the size of a claim.
Fucking idiots, all of them.
This is the first job I've held where security & compliance were part of the JD. I've not dealt with our insurance carrier (yet), but the vendor security surveys are ENTIRELY along these lines.
My personal favorite is when they demand that we rotate our passwords every three months. Of course, NIST reversed its recommendation on that front years ago...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
