Mondelez and Zurich’s NotPetya cyber-attack insurance settlement leaves behind no legal precedent

Multinational food and beverage company Mondelez International and Zurich American Insurance have settled their multiyear litigation surrounding the cyberattack coverage – or lack of such coverage – following the NotPetya malware attack that damaged the Mondelez network and infrastructure. The specifics of the settlement are unknown, but that it would come mid-trial has caught everyone’s attention.

The pain was felt on June 27, 2017, when NotPetya wiped out 24,000 laptops and 1,700 servers within the Mondelez network. The malware, designed to destroy, did just that. Mondelez estimated damages would approach $100 million USD.

Mondelez filed its insurance claim under the logic that property had been destroyed by the miscreants behind NotPetya. The company noted that their policy covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”

Zurich rejects the Mondelez claim

Mondelez believed its insurance policy would kick in, as the company had demonstrably experienced damage to its infrastructure from the NotPetya malware. After much back and forth between the two entities, explaining and documenting losses, Mondelez noted in its court filing that it had received a written rejection on June 1, 2018, from Zurich, which cited as the reason for denial:

“Hostile or warlike action in time of peace or war including action in hindering, combating, or defending against an actual, impending, or expected attack by any:

i) Government or sovereign power (de jure or de facto)

ii) Military, naval, or air force; or

iii) Agent or authority of any party specified in i or ii above.”

Some weeks later, Zurich rethought its decision and offered Mondelez a $10 million advance, not subject to claw-back, against its claim, on which it would continue to work with its client. But the law of “talk is cheap” seemed to apply, and the $10 million, while discussed, was never paid and the proverbial can was kicked down the road.

Mondelez fights back with a lawsuit

By October 2018, Mondelez had had enough, and a multiyear litigation was launched. As it progressed, developments in the wider world of cyber insurance litigation began to percolate to the surface.

In January 2022, pharma giant Merck & Co., Inc.’s $1.4 billion insurance win against insurer Ace American Insurance Co. landed. The presiding judge ruled that the War or Hostile Acts exclusion was inapplicable in the Merck claim, which had parallels with the Mondelez claim. Industry discussion between general coverage and explicit cybersecurity insurance ensued. It became clear that both were needed and industry adjustment required. Yet such change wasn’t happening.

Lloyds exclusions on state-backed cyberattacks change the game

That was until August 2022, when insurer Lloyd’s caused an industrywide deep breath to occur when it gave the insurance industry a heads-up via a Market Bulletin that outlined four exclusions from cyber insurance policies the company would expect to see going forward as of March 31, 2023.

Those exclusions involving “state-backed cyberattacks” must:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion
2. (Subject to 3) exclude losses arising from state backed cyber-attacks that
   • significantly impair the ability of a state to function or
   • that significantly impair the security capabilities of a state
3. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyberattack.
4. Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
5. Ensure all key terms are clearly defined.

While industry waited with bated breath to see how the courthouse entanglement between Mondelez and Zurich would play out, during the last week of the jury trial the two entities arrived at a settlement, effectively turning out the lights to those observing.

Mondelez-Zurich settlement leaves “looming questions”

Violet Sullivan, a cybersecurity and privacy attorney who serves as the VP of client engagement for Redpoint Cybersecurity, offered CSO a legal perspective to better understand the outcome: “The settlement last week that came on the final day of a multiple-week jury trial deflated many on both sides of the war exclusion debate.”

Sullivan noted that the settlement left observers with something of a blind spot, as it ends the trial and without a publicly available decision to ponder or any precedent-setting legal clarity on the issue.

“This, along with the recent Merck litigation, was based on property policies and not standalone cyber policies,” Sullivan said. “There are a lot of coverage details that are complicated on both sides, but this means there are still looming questions on attribution for cyberwar-like acts and when coverages will apply during warlike cyber actions.”

Sullivan advises CIOs and CISOs to “work with their cyber broker or insurer to really understand the risk and policy language.” There is no denying, Sullivan noted, that the “technical people already know how hard attribution is … and now you have insurance people trying to figure it out and there is zero precedent.”