Settlement of Mondelez and Zurich’s NotPetya cyberattack insurance is unprecedented

Multinational food and beverage companies Mondelez International and Zurich American Insurance have settled a multi-year lawsuit over cyberattack coverage, or lack of such coverage. Not Petya Malware attacks that damaged Mondelez’s network and infrastructure. Details of the settlement are unknown, but it is attracting attention that a settlement will be reached in the middle of the trial.

Pain was felt on June 27, 2017, when NotPetya wiped out 24,000 laptops and 1,700 servers in the Mondelez network. Malware designed to destroy did just that. Mondelez estimates the damages will reach his $100 million.

Mondelez filed an insurance claim based on the logic that the property was destroyed by the bad guys behind NotPetya. The company said its policy covers “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instructions.” I’m here.

Zurich rejects Mondelez claims

Mondelez had apparently experienced damage to infrastructure from the NotPetya malware, and believed his insurance policy would be valid. After much back-and-forth between the two entities, explaining and documenting the loss, Mondelez said in it: Court submission Received written refusal from Zurich on 1 June 2018, citing reasons for refusal.

“Hostile or belligerent actions in peacetime or war, including actions to prevent, combat, or defend against an actual, imminent, or anticipated attack by any of the following:

i) government or sovereignty (Legal Also de facto)

ii) Army, Navy, or Air Force;Also

iii) Party agents or authorities designated in i or ii above.

A few weeks later, Zurich reconsidered its decision and offered Mondelez a $10 million advance. But the “talk gets cheaper” rule seemed to apply, with $10 million being discussed but never paid and the proverbial can being kicked into the street.

Mondelez hits back with lawsuit

By October 2018, Mondelez had filed enough lawsuits to start a multi-year lawsuit. As it progressed, developments in the wider world of cyber insurance litigation began to seep to the surface.

In January 2022, pharmaceutical giant Merck & Co., Inc. won a $1.4 billion claim against insurer Ace American Insurance Co.President The judge ruled that the war or hostilities exclusion did not apply In Merck’s claims similar to those of Mondelez. An industry debate ensued between general coverage and explicit cybersecurity insurance. It became clear that both were needed and industry coordination was needed. However, no such change occurred.

Lloyd’s exclusion for state-sponsored cyber attack changes the game

That was until August 2022, when insurance company Lloyds market bulletin outlined 4 exclusions From the company’s future cyber insurance policies as of March 31, 2023.

Exclusions that include “state-sponsored cyberattacks” must:

  1. Excludes losses arising from war (whether declared or not) if the policy does not have a separate war exclusion.
  2. (Following 3) Excludes losses resulting from state-sponsored cyberattacks.
    • seriously impairs the ability of the State to function, or
    • Significantly undermine national security capabilities
  3. Clarify whether non-state computer systems affected by state-sponsored cyber-attacks in the manner outlined in 2(a) and (b) above are excluded from coverage.
  4. Establish a strong basis for parties to agree on how state-sponsored cyberattacks are attributed to one or more states.
  5. Make sure all important terms are clearly defined.

While the industry has been waiting with bated breath to see how the courtroom entanglement between Mondelez and Zurich unfolds, in the final week of jury trials, the two entities have reached a settlement, It effectively turned off the lights to those observing.

Mondelez-Zurich settlement leaves ‘looming questions’

Cybersecurity and privacy attorney Violet Sullivan, vice president of client engagements at Redpoint Cybersecurity, provided CSOs with a legal perspective to better understand the results. Many on both sides of the war exclusion debate.

Sullivan noted that the settlement left a sort of blind spot for observers, with no legal clarity to end the trial and set publicly available decisions or precedents for pondering the issue. It’s for

“This, along with the recent Merck litigation, was based on property policy rather than separate cyber policy,” Sullivan said. “While there are many details of compensation that are complicated for both sides, this leaves open questions about the attribution of acts like cyber warfare and when compensation is applied during war-like cyber activities. means.”

Sullivan advises CIOs and CISOs to “work with your cyber broker or insurer to really understand the risks and policy language.” “Technologists already know how difficult attribution is…and now insurance companies are trying to figure it out, without precedent,” said Sullivan.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment