Mondelez International has settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant’s $100 million-plus cleanup bill following the 2017 NotPetya outbreak.
The year-long legal battle over the claim has been closely watched by cyber insurance and legal experts. That has helped fuel an ongoing debate about what constitutes an act of war — which even in cyberspace can invalidate an insurance claim — and whether insurers should pay damages caused by network breaches sponsored or organized by nation states.
Mondelez, which owns Oreo cookies, Sour Patch Kids candy, Ritz crackers and dozens of other brands, declined to comment on the settlement. However, a U.S. spokesperson for Zurich told us “the parties have mutually resolved the issue.” Details of the deal have not been disclosed.
While this makes it difficult to comment, “I would be willing to bet a lot that, especially the carrier, did not want to publicly disclose what their settlement position is on the applicability of war exclusions, and especially both sides wanted to avoid a judgment making a definitive decision on it, says Bryan Cunningham, attorney and advisory board member at Theon Technology.
“If one judge, or five or six judges in different jurisdictions, were to actually start saying whether a cyber attack is reasonably attributable to a nation state and therefore excluded, it would upset the entire cyber insurance ecosystem and make it almost impossible to have meaningful cyber coverage,” he said The registry.
Mondelez sued Zurich in 2018 after the insurance industry refused to cover damages the cookie company suffered as a result of NotPetya, a rapidly spreading file system-trashing malware that some say caused more than $10 billion in damages worldwide and was later attributed to the Russian the military. In particular, NotPetya used EternalBlue, a stolen and publicly leaked NSA exploit, to move from vulnerable Windows machine to vulnerable Windows machine.
The Grub giant said that after NotPetya entered its network, 1,700 of its servers and 24,000 laptops were infected or affected, leaving staff unable to use systems, applications and data.
“As a result of the damage caused to both its hardware and operational software systems, MDLZ incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins and other covered losses in excess of $100,000,000 in the aggregate,” according to court documents [PDF] submitted by Mondelez.
At the time, Mondelez property and casualty insurance covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
So by damage, Mondelez means a range of things, from loss of data to physical deterioration of equipment. NotPetya distorted file system structures and documents. Restoring this data is not trivial.
That’s how the cake crumbles
However, Zurich denied the claim, citing an exclusion in the fine print for “hostile or warlike acts in time of peace or war” by a “government or sovereign power,” and argued that the NotPetya losses were the result of a Russian act of war. And in that case, Zurich wouldn’t cough up the money, leading to a lawsuit to get the money out and a settlement.
The meeting between Mondelez and Zurich follows a similar legal battle between pharmaceutical giant Merck and its insurer, ACE American Insurance Company. Like Mondelez, Merck sued the insurance company for damages related to NotPetya. In January, the Superior Court of New Jersey ruled that the war exclusion only applied to the more traditional, physical armed forces and ordered the insurer to pay Merck $1.4 billion.
The Mondelez lawsuit is “very similar to the Merck situation, in that this is a cyber-related incident that falls under property insurance,” said Peter Hawley, director of insurance solutions in Europe for SecurityScorecard.
“The claim itself would, at the end of it, be properly made because the circumstances are broadly covered except for the application of the war exclusion clause,” he told The registry. “Unfortunately, what appears to have happened is that there was a breakdown in communication between the client, their broker and the insurance company, about what was intended to be covered, or not covered, and hence the dispute that ensued.”
The settlement also comes as Lloyd’s of London insurance will soon stop covering losses from certain nation-state cyberattacks and those occurring during war, declared or not, starting April 1, 2023.
“I think Lloyd’s also recognizes that up until a year or so ago, cyber insurance has been ridiculously underpriced because every company wanted to get into the market,” Cunningham said. “Now that we’ve seen the risk of truly catastrophic, I mean trillion-dollar cyber events that could bankrupt the global cyber insurance and reinsurance industry, these companies are trying to find ways to limit their exposure.”
Cunningham predicts that as a result of, say, Lloyd’s exclusion of nation states, governments will step in and provide some type of cyber insurance program, or there will be reforms related to insurance and cyber attribution.
Just last month, the US Treasury Department published a request for comments on issues related to cyber insurance and catastrophic cyber incidents.
Government policy measures could include a cyber insurance risk backstop program along the lines of the US Terrorism Risk Insurance Program, created after 9/11, to help property insurers include coverage for damage caused by acts of terrorism, Cunningham said.
“It’s very likely that eventually there will be some catastrophic cyber event that will start to bankrupt insurance companies,” he said. “Hopefully we will have government reform before the event.” ®
#Mondelez #Zurich #Settles #100m #NotPetya #Insurance #Lawsuit