A legal case from the maker of Oreos demanding that the company’s insurance carrier cover the costs of a cyberattack could set an important precedent for the industry, an expert told Fifth Domain.
Mondelez, the maker of Oreo cookies, is suing its insurance company, Zurich, for $100 million in damages suffered during the NotPetya cyberattack. That attack, which caused more than $10 billion in damages, has been attributed to Russia by western nations including the United States and Britain.
“I have yet to see an insurance policy that does not exclude an act of war,” Sasha Romanosky, an analyst at the Rand Corporation, a private research firm, told Fifth Domain.
There are two key questions that have remain unresolved, Romanosky said.
“Who makes the determination of whether or not a malicious cyber incident that originated from a nation-state triggers the exclusion?”
Second, Romanosky said there was a question regarding “what is the threshold of malicious cyber activity that would be considered an act of war? Does merely exposing emails count?”
“This is the first time it has been tested in court,” Romanosky added.
The case comes as U.S. Department of Defense leaders have remade their cybersecurity strategy in recent months to emphasize the department’s ability to operate on enemy networks but to do so below the threshold of war.
The case is not the first time such a large sum has been discussed for such cyber attacks. When Sony suffered a cyberattack from North Korea in 2014 after the planned release of its movie “The Interview,” which depicted the murder of Kim Jong Un, the company received $100 million in damages from its insurance company.
While the insurance market is currently small, in relative terms, it is expected to grow to at least $10 billion in the next decade, according to experts.
Major insurance carriers also offer cyber policies for public sector bodies such as governments, schools and utilities.
This article was updated at 9:58 on Jan. 11 with additional information.