Mondelez International has settled its lawsuit against Zurich American Insurance Company, which was filed because the insurer refused to pay the snack food giant’s $100 million clean-up bill following the 2017 NotPetya outbreak.
The years of litigation surrounding the claim have been closely watched by cyber insurance and legal experts. It has helped fuel an ongoing debate about what constitutes an act of war – which could invalidate an insurance claim even in cyberspace – and whether insurance companies should pay for damages caused by nation-state-sponsored or orchestrated network break-ins.
Mondelez, which owns Oreo cookies, Sour Patch Kids candy, Ritz crackers and dozens of other brands, declined to comment on the settlement. “The parties have resolved the matter amicably,” an American spokesman for Zurich told us. Details of the deal were not disclosed.
While that makes comment difficult, “I’d be willing to bet a lot that the airline in particular didn’t want to publicly reveal its position on the applicability of war exclusions, and in particular both sides wanted to avoid a judge making a final decision on that,” Bryan said Cunningham, Attorney and Advisory Board Member at Theon Technology.
“If a judge or five or six judges in different jurisdictions actually started saying whether a cyberattack could reasonably be attributed to a nation state and therefore excluded, it would turn the entire cyberinsurance ecosystem on its head and make it almost impossible to cover.” get meaningful cyber coverage,” he said The registry.
Mondelez sued Zurich in 2018 after the insurance company refused to pay for damage the cookie company suffered from NotPetya, a fast-spreading breed of file-erasing malware that some say spreads more than 1,000 people worldwide $10 billion in damage was later attributed to the Russian military. NotPetya specifically used EternalBlue, a stolen and publicly leaked NSA exploit, to go from a vulnerable Windows machine to a vulnerable Windows machine.
The Grub Goliath said after NotPetya got on its network, it was unable to use 1,700 of its servers and 24,000 laptops.
“As a result of damage caused to both its hardware and operational software systems, MDLZ suffered property damage, commercial supply and distribution disruptions, failed customer orders, reduced margins and other covered losses totaling well over US$100,000,000 -dollars,” according to court filings [PDF] submitted by Mondelez.
At the time, Mondelez property and casualty insurance covered “all risks of physical loss or damage” and “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of any machine code or instruction.”
That’s how the rabbit runs
However, Zurich dismissed the claim, citing an exclusion in the fine print for “acts of hostility or war in time of peace or war” by a “government or sovereign power,” effectively arguing that the NotPetya losses were the result of a Russian act of War. And in that case, Zurich wouldn’t spit out the money, leading to a lawsuit over the money and a settlement.
The duel between Mondalez and Zurich follows a similar legal battle between pharmaceutical giant Merck and its insurer ACE American Insurance Company. Like Mondalez, Merck is suing the insurance company for damages related to NotPetya. In January, the New Jersey Supreme Court ruled that the war ban applied only to the more traditional, physical force, and ordered the insurer to pay Merck $1.4 billion.
The Mondalez lawsuit is “very similar to Merck’s situation in that it involves a cyber-related incident that falls under a property insurance policy,” said Peter Hawley, director of insurance solutions in Europe at SecurityScorecard.
“The claim itself would, on the face of it, be properly made as the circumstances are broadly covered apart from the application of the non-war clause,” he said The registry. “Unfortunately, what appears to have happened is that there was a disruption in communication between the client, their agent and the insurance carrier about what should or should not be covered, and hence the dispute that ensued.”
The settlement also comes as Lloyd’s of London’s insurance policies will cease to exist on 1 January 2018.
“I think Lloyd’s also recognizes that up until about a year ago, cyber insurance policies were ridiculously undervalued because all the companies were looking to get into the market,” Cunningham said. “Now that we’ve seen the risk of truly catastrophic, I mean trillion dollar cyber events that could bankrupt the global cyber insurance and reinsurance industry, these companies are scrambling to find ways to manage their risk to limit.”
Cunningham predicts that as a result of the exclusion of Lloyd’s nation states, for example, governments will step in and offer some sort of cyber insurance program, or there will be reforms related to insurance policies and cyber attribution.
Just last month, the US Treasury Department issued a request for comment on issues related to cyber insurance and catastrophic cyber incidents.
Government policies could include a cyber insurance risk backstop program modeled after America’s Terrorism Risk Insurance Program, which was created after 9/11 to help property insurance policies cover losses from acts of terrorism, Cunningham said.
“It is very likely that at some point there will be a catastrophic cyber event that will bankrupt insurance companies,” he said. “Hopefully we’ll have government reform before the event.” ®
https://www.theregister.com/2022/11/02/mondelez_zurich_notpetya_settlement/ Mondelez, Zurich settles $100 million NotPetya insurance lawsuit • The Register