Mondelez International has settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant’s $100-million-plus cleanup bill following the 2017 NotPetya outbreak.
The years-long legal battle over the claim has been closely watched by cyber-insurance and legal experts. It has helped fuel an ongoing debate over what constitutes an act of war — which even in cyberspace could invalidate an insurance claim – and whether insurance companies should pay damages caused by network intrusions supported or organized by nation states.
Mondelez, which owns Oreo cookies, Sour Patch Kids candy, Ritz crackers, and dozens of other brands, declined to comment on the settlement. A Zurich American spokesperson, however, told us “the parties have mutually resolved the matter.” Details of the deal have not been disclosed.
While this makes it difficult to comment on, “I would be willing to bet a lot that, especially the carrier, did not want to publicly reveal what their settlement position is on the applicability of war exclusions, and particularly both sides wanted to avoid a judge making a definitive ruling on that,” said Bryan Cunningham, an attorney and advisory council member at Theon Technology.
“If a judge, or five or six judges in different jurisdictions were to actually start saying if a cyberattack can reasonably be attributed to a nation state and therefore be excluded, that would upend the entire cyber-insurance ecosystem and make it almost impossible to get meaningful cyber coverage,” he told The Register.
Mondelez sued Zurich in 2018 after the insurance biz refused to cover damages that the cookie corporation incurred as a result of NotPetya, a fast-spreading strain of file-trashing malware that some say caused more than $10 billion in damage worldwide and was later attributed to the Russian military. NotPetya notably used EternalBlue, a stolen and publicly leaked NSA exploit, to move from vulnerable Windows machine to vulnerable Windows machine.
The grub goliath said after NotPetya got into its network, it was left unable to use 1,700 of its servers and 24,000 laptops.
“As a result of the damage caused both to its hardware and operational software systems, MDLZ incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000,” according to court documents [PDF] filed by Mondelez.
At the time, Mondelez’s property and casualty insurance covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
That’s the way the cookie crumbles
Zurich, however, denied the claim, citing an exclusion in the fine print for “hostile or warlike action in time of peace or war” by a “government or sovereign power,” effectively arguing that the NotPetya losses were the result of a Russian act of war. And in which case, Zurich would not cough up of the money, leading to a lawsuit over the matter to extract the cash, and a settlement.
The Mondalez-Zurich face-off follows a similar legal battle between pharma giant Merck and its insurer, ACE American Insurance Company. Like Mondalez, Merck sued the insurance company for damages related to NotPetya. In January, the Superior Court of New Jersey ruled the act of war exclusion only applied to the more traditional, physical armed force, and ordered the insurer to pay Merck $1.4 billion.
The Mondalez lawsuit is “very similar to the Merck situation, in that this is a cyber-related incident falling for consideration under a property insurance policy,” said Peter Hawley, director of insurance solutions in Europe for SecurityScorecard.
“The claim itself would, on the face of it, be properly made in that the circumstances broadly are afforded coverage save for the application of the war exclusion clause,” he told The Register. “What unfortunately seems to have happened is that there was a break in communication between the customer, their broker, and the insurance carrier, as to what was intended to be covered, or not covered, and hence the dispute which followed.”
The settlement also comes as Lloyd’s of London insurance policies will soon stop covering losses from certain nation-state cyber attacks and those that happen during wars, declared or not, beginning April 1, 2023.
“I think Lloyd’s also recognizes that, up until a year or so ago, cyberinsurance policies have been ridiculously underpriced because all of the companies wanted to get into the market,” Cunningham said. “Now that we’ve seen the risk of truly catastrophic, I mean trillion-dollar-cyber events, that could bankrupt the global cyber insurance and reinsurance industry, these companies are scrambling to figure out ways to limit their exposure.”
Cunningham predicts that as a result of, for instance, Lloyd’s nation-state exclusion, governments will step in and provide some type of cyber insurance program, or there will be reforms related to insurance policies and cyber attribution.
Just last month the US Treasury published a request for comment on questions related to cyberinsurance and catastrophic cyber incidents.
Government policy measures could include a backstop program for cyber-insurance risk along the lines of America’s Terrorism Risk Insurance Program, created after 9/11, to help property insurance policies include coverage for damage caused by acts of terrorism, Cunningham said.
“It’s highly likely that there will eventually be some catastrophic cyber event that will start bankrupting insurance companies,” he said. “Hopefully we will have government reform before the event.” ®