Long past incidents’ aftermaths are still being felt today

Global snack giant Mondelez International (Oreo anyone?), has just settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the company's USD 100-million-plus cleanup bill following the 2017 NotPetya outbreak.

The NotPetya malware was a particularly damaging cyberattack involving wiper malware that spread fast through corporate networks back in 2017, involving clever usage of known Windows wormable exploits and inherent weaknesses in Active Directory deployments. Its victims were Maersk, Merck, Reckitt Benckiser, Beiersdorf, DHL, FedEx, and other high profile corporate giants. The NotPetya attacks have been blamed on the Russian government, specifically the Sandworm hacking group within the GRU Russian military intelligence organization.

It's not clear what the exact terms of the final settlement are, but it certainly makes it harder for companies to insure against cyberattacks, many of which are perpetrated by state sponsored actors, which can be interpreted as hostile acts by foreign governments.

The incentives to defend and properly secure networks against breaches are therefore growing:

• cyberinsurance policies will get stricter and more costly, requiring technologies such as EDR to be implemented;

• for Mondelez, the total cleanup bill of USD 100m for this single attack was not so significant compared to other notPetya victims: in the case of FedEx and Merck, the costs were USD 400 million and USD 670 million respectively, as reported in 2018. This implies a 10% hit on both companies' net income. Of course, the average hit on net profits is bound to grow as more processes are digitized.

• the reputational and long term effects will get only costlier, especially considering the regulatory pressures under which most companies are now being put.