Multinational food and beverage company Mondelez International and Zurich American Insurance have settled their multi-year litigation surrounding the cyber attack coverage – or lack of such coverage – following the NotPetya malware attack that damaged the Mondelez network and infrastructure. The details of the settlement are unknown, but that it would come in the middle of the trial caught everyone’s attention.
The pain was felt on June 27, 2017, when NotPetya wiped out 24,000 laptops and 1,700 servers within the Mondelez network. The malware, designed to destroy, did just that. Mondelez estimated that damages would approach $100 million USD.
Mondelez submitted its insurance claim under the logic that property was destroyed by the evildoers behind NotPetya. The company noted that their policy covers “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instructions.”
Zurich rejects the Mondelez claim
Mondelez believed its insurance policy would kick in as the company had demonstrably experienced damage to its infrastructure from the NotPetya malware. After much back-and-forth between the two entities, explaining and documenting losses, Mondelez noted in its court filing that it received a written rejection from Zurich on June 1, 2018, citing as its reason for denial:
“Hostile or belligerent conduct in time of peace or war, including conduct in the prevention, suppression or defense of an actual, threatened or anticipated attack by any:
i) Government or sovereign power (de jure or in reality)
ii) Military, naval or air force; or
iii) Agent or authority of any party specified in i or ii above.”
Several weeks later, Zurich reconsidered its decision and offered Mondelez a $10 million advance, not subject to clawback, against his claim, on which he would continue to work with his client. But the law of “talk is cheap” applied, and the $10 million, while discussed, was never paid and the proverbial can was kicked.
Mondelez is fighting back with a lawsuit
By October 2018, Mondelez had had enough, and a multi-year litigation was launched. As this progressed, developments in the wider world of cyber insurance litigation began to seep to the surface.
In January 2022, pharmaceutical giant Merck & Co., Inc. ‘s $1.4 billion insurance victory against insurer Ace American Insurance Co . The presiding judge ruled that the war or hostile laws exclusion was inapplicable in the Merck claim, which had parallels to the Mondelez claim. Industry discussion between general coverage and explicit cyber security insurance followed. It became clear that both were needed and industry adaptation was needed. Yet such change did not occur.
Lloyds exclusions on state-sponsored cyber attacks change the game
That was until August 2022, when insurer Lloyd’s caused a deep industry-wide gasp when it gave the insurance industry a head start via a Market Bulletin detailing four exclusions from cyber insurance policies that the company expected to see going forward by March 31 to see. , 2023.
Those exclusions involving “state-sponsored cyber attacks” must:
- Excludes losses arising from war (whether declared or not), where the policy does not have a separate war exclusion
- (Subject to 3) excludes losses arising from state-sponsored cyber-attacks which
- significantly impair the ability of a state to function or
- which significantly impairs the security capabilities of a state
- Be clear whether coverage excludes computer systems located outside of any state that are affected in the manner set forth in 2(a) & (b) above, by the state-sponsored cyber attack.
- Set out a robust basis by which the parties agree on how any state-sponsored cyber attack will be attributed to one or more states.
- Make sure all key terms are clearly defined.
As the industry waited with bated breath to see how the courthouse tussle between Mondelez and Zurich would play out, the two entities reached a settlement during the final week of the jury trial, effectively dimming the lights for those watching.
Mondelez-Zurich settlement leaves ‘looming questions’
Violet Sullivan, a cybersecurity and privacy attorney who serves as the VP of client engagement for Redpoint Cybersecurity, provided CSO with a legal perspective to better understand the outcome: “The settlement last week that came on the final day of a multi-week jury trial has inflamed many on both sides of the war exclusion debate.”
Sullivan noted that the settlement left observers with something of a blind spot, as it ended the trial and without a publicly available decision to reflect on or any precedent-setting legal clarity on the issue.
“This, along with the recent Merck litigation, was based on property policies and not standalone cyber policies,” Sullivan said. “There are a lot of coverage details that are complicated on both sides, but that means there are still questions about the recognition of cyberwarfare acts and when coverages will apply during cyberwarfare actions.”
Sullivan advises CIOs and CISOs to “work with their cyber broker or insurer to really understand the risk and policy language.” Sullivan noted that there is no denying that the “technical people already know how difficult attribution is … and now you have insurance people trying to figure it out and there is no precedent.”
Copyright © 2022 IDG Communications, Inc.