The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


Oreo Cookie Parent Company Sues Insurance Carrier Over NotPeyta

See Article Here

Cyber liability insurance or general coverage? That’s the dispute between Mondelez and Zurich over the payment of a claim for a NotPetya attack where Modelez was a victim. Mondelez is the US food company that owns the Oreo and Cadbury brands and it alleged that it was hit twice by NotPetya in 2017, with 1,700 of its servers and 24,000 laptops rendered “permanently dysfunctional”. Mondelez submitted a claim for the cost for the loss of hardware on its property insurance policy that provided coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”. Despite initially saying it would pay, at least part of the claim, Zurich denied the loss under a hostile or warlike exception to the policy.

See the U.S. and U.K. believed that Russia was responsible for the attack so Zurich denied the claim. Wow. That’s amazing given there is no real evidence, only speculation, that Russia was responsible. Also, normally insurance companies cover the losses to hardware when there is an attack, even a cyber related attack. But in this instance Zurich did not want to pay and now Zurich has to prove it was Russia that perpetrated the attack and it fits with in the “hostile or warlike” exception under the policy.

That’s going to be difficult to do and I suspect Zurich will eventually lose the battle. However, the precident that it will create will be quite interesting, as much as insurance companies want to sell those cyber insurance policies, they only want the income from the perceived protections they provide, they do not actually want to pay out!