Mondelez International and Zurich American Insurance settled a multi-year legal battle over the snack giant’s $100 million claim regarding losses from the NotPetya cyberattack in 2017.
The closely watched lawsuit has fueled an ongoing discussion over who should pay when businesses are hit by state-sponsored cyberattacks. It could have broader implications for policymakers, highlighting the urgent need for them to devise practical, long-term solutions to address increasing cyber threats blamed on nation-state actors.
Mondelez, owner of Oreo cookies, Triscuit crackers, and dozens of other snack food brands, did not respond to SC Media’s request for comment on the settlement. A spokesperson from Zurich American told SC Media that “the parties have mutually resolved the matter.”
Mondelez was one of the hundreds of victims hit by NotPetya, one of the largest cyberattacks in history that cost up to $10 billion worldwide and was later attributed to the Russian government. According to court documents filed by Mondelez and obtained by The Register, the malware affected more than 1,700 servers and 24,000 laptops, which led to over $100 million in financial losses.
During the time, Mondelez’s insurance contract stated that it covered “all risks of physical loss or damage,” including “physical loss or damage to electronic data, programs, or software” as well as “loss or damage caused by the malicious introduction of machine code or instruction.” But the insurer, Zurich Insurance, initially refused to cover the cost by citing a clause in the contracts — “war exclusion,” a provision that protects insurers from paying costs related to damage from war or warlike actions. The disagreement between the two parties led to a legal fight and eventually a settlement last week.
Another similar case involved Merck & Co.’s legal dispute with its insurer, Ace American, over $1.4 billion in losses caused by NotPetya. A New Jersey court dismissed Ace Americans’ claim of war, noting the language in the contract is meant to refer to armed conflict and the NotPetya attack does not fit into that category.
Jennifer Mulvihill, business development head of cyber insurance and legal at BlueVoyant, said these cases have particularly highlighted questions on who should take the responsibility to determine attribution.
“One could argue that an insurer should be involved in any attribution investigation to determine coverage. But as the market reacts to Lloyd’s announcement of exclusionary language in 2023, this seems like a daunting task better left to law enforcement or government,” Mulvihill said.
Christopher Gray, AVP of security strategy at Deepwatch, told SC Media that he is optimistic that the policy language will become “tighter” and more precise with the continuous removal of gray areas.
“In the end, policies will move from having just the ‘four areas of coverage’ — network security and privacy liability, network business interruption, media liability and errors and omissions — to including additions and riders that specifically address higher risk scenarios,” Gray said.
While some noted that Mondelez and Zurich did not release details about the deal as both parties wanted to avoid a judge making a definitive ruling on the topic, Mulvihill told SC Media it might be premature to be concerned about setting a precedent.
“Both insurers and carriers are still working out quantifying and qualifying risks, so we have not seen much litigation,” she explained.