Mondelez International and Zurich American Insurance settled a keenly watched lawsuit over how cyberattack insurance applies to intrusions from nation states during wartime. A private agreement, its resolution sheds no light on how the issue will be play out. Credit: Thinkstock Multinational food and beverage company Mondelez International and Zurich American Insurance have settled their multiyear litigation surrounding the cyberattack coverage – or lack of such coverage – following the NotPetya malware attack that damaged the Mondelez network and infrastructure. The specifics of the settlement are unknown, but that it would come mid-trial has caught everyone’s attention.The pain was felt on June 27, 2017, when NotPetya wiped out 24,000 laptops and 1,700 servers within the Mondelez network. The malware, designed to destroy, did just that. Mondelez estimated damages would approach $100 million USD.Mondelez filed its insurance claim under the logic that property had been destroyed by the miscreants behind NotPetya. The company noted that their policy covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”Zurich rejects the Mondelez claimMondelez believed its insurance policy would kick in, as the company had demonstrably experienced damage to its infrastructure from the NotPetya malware. After much back and forth between the two entities, explaining and documenting losses, Mondelez noted in its court filing that it had received a written rejection on June 1, 2018, from Zurich, which cited as the reason for denial: “Hostile or warlike action in time of peace or war including action in hindering, combating, or defending against an actual, impending, or expected attack by any:i) Government or sovereign power (de jure or de facto)ii) Military, naval, or air force; oriii) Agent or authority of any party specified in i or ii above.”Some weeks later, Zurich rethought its decision and offered Mondelez a $10 million advance, not subject to claw-back, against its claim, on which it would continue to work with its client. But the law of “talk is cheap” seemed to apply, and the $10 million, while discussed, was never paid and the proverbial can was kicked down the road.Mondelez fights back with a lawsuitBy October 2018, Mondelez had had enough, and a multiyear litigation was launched. As it progressed, developments in the wider world of cyber insurance litigation began to percolate to the surface. In January 2022, pharma giant Merck & Co., Inc.’s $1.4 billion insurance win against insurer Ace American Insurance Co. landed. The presiding judge ruled that the War or Hostile Acts exclusion was inapplicable in the Merck claim, which had parallels with the Mondelez claim. Industry discussion between general coverage and explicit cybersecurity insurance ensued. It became clear that both were needed and industry adjustment required. Yet such change wasn’t happening.Lloyds exclusions on state-backed cyberattacks change the gameThat was until August 2022, when insurer Lloyd’s caused an industrywide deep breath to occur when it gave the insurance industry a heads-up via a Market Bulletin that outlined four exclusions from cyber insurance policies the company would expect to see going forward as of March 31, 2023.Those exclusions involving “state-backed cyberattacks” must:Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion(Subject to 3) exclude losses arising from state backed cyber-attacks thatsignificantly impair the ability of a state to function orthat significantly impair the security capabilities of a stateBe clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyberattack.Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.Ensure all key terms are clearly defined.While industry waited with bated breath to see how the courthouse entanglement between Mondelez and Zurich would play out, during the last week of the jury trial the two entities arrived at a settlement, effectively turning out the lights to those observing.Mondelez-Zurich settlement leaves “looming questions”Violet Sullivan, a cybersecurity and privacy attorney who serves as the VP of client engagement for Redpoint Cybersecurity, offered CSO a legal perspective to better understand the outcome: “The settlement last week that came on the final day of a multiple-week jury trial deflated many on both sides of the war exclusion debate.”Sullivan noted that the settlement left observers with something of a blind spot, as it ends the trial and without a publicly available decision to ponder or any precedent-setting legal clarity on the issue. “This, along with the recent Merck litigation, was based on property policies and not standalone cyber policies,” Sullivan said. “There are a lot of coverage details that are complicated on both sides, but this means there are still looming questions on attribution for cyberwar-like acts and when coverages will apply during warlike cyber actions.”Sullivan advises CIOs and CISOs to “work with their cyber broker or insurer to really understand the risk and policy language.” There is no denying, Sullivan noted, that the “technical people already know how hard attribution is … and now you have insurance people trying to figure it out and there is zero precedent.” Related content feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Data and Information Security Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe