Mondelez and Zurich’s cyber attack insurance settlement NotPetya has no legal precedent | Media Pyro

Food and beverage multinational Mondelez International and Zurich American Insurance have settled their multi-year lawsuit over cyberattack coverage – or the lack of such coverage – after the notorious NotPetya attack that broke the network and infrastructure Mondelez. The details of the settlement are unknown, but it comes in the middle of a trial that has everyone’s attention.

The pain came on June 27, 2017, when NotPetya disabled 24,000 computers and 1,700 servers in the Mondelez network. Malware, designed to destroy, is what it is. Mondelez estimated the damages to be around $100 million USD.

Mondelez filed its insurance claim under the assumption that assets were damaged by hackers after NotPetya. The company stated that their policy covers “physical loss or damage to electronic data, programs, and computers, including physical loss or damage resulting from improper installation of machine code or learning.”

Zurich denies Mondelez’s claim

Mondelez believed that its insurance policy would be covered, as the company had suffered damage to its infrastructure from the NotPetya malware. After back and forth between the two entities, explaining and documenting the losses, Mondelez said in its court filing that it received a rejection on June 1, 2018, from Zurich, said the reason for the refusal:

“Acts of hostility or war in time of peace or war including acts to prevent, fight, or defend against actual, imminent, or anticipated attack by one:

i) Government or sovereign authority (de jure or true)

ii) Army, naval or air force; or

iii) Dealer or management of any party specified in i or ii above.”

A few weeks later, Zurich reconsidered its decision and advanced Mondelez $10 million, not under the guise, it claimed, and would continue to work with its client. But the “small talk” rule seems to apply, and the $10 million, at the time, was not paid, kicking the proverbial can down the road.

Mondelez will fight back with the lawsuit

In October 2018, Mondelez was satisfied and launched a multi-year lawsuit. As he progressed, developments in the broader world of online insurance litigation began to bubble to the surface.

In January 2022, insurance giant Merck & Co., Inc. will make a $1.4 billion deal with insurer Ace American Insurance Co. The trial judge ruled that the War or Hostile Acts exclusion was not valid in the Merck claim, as it was in the Mondelez claim. There will be industry talk between general coverage and cyber security insurance. It was clear that both needed and changed the industry. But that change did not happen.

Lloyds’ defenses against government-sponsored cyberattacks are game-changing

It wasn’t until August 2022, when the insurance industry Lloyd’s took a deep breath when it issued the insurance industry a market bulletin that revealed four restrictions from The company’s cyber insurance policies are expected to go forward as of March 31, 2023.

Exclusions related to “government-sponsored online purchases” include:

1. Exclude losses caused by war (whether declared or not), unless the policy has a specific war exclusion.
2. (Under 3) eliminate losses caused by government-sponsored cyber attacks
   • very bad the ability of the government to act or to act
   • which seriously undermines the security capabilities of any government
3. It is clear that the coverage excludes computer systems located outside of the affected states in the manner specified in 2(a) & (b) above, due to a government cyberattack.
4. Establish a solid framework on which the parties agree on how a government-sponsored cyberattack against a government should be considered.
5. Make sure all keywords are clear.

As the industry waits with bated breath to see how the court case between Mondelez and Zurich will play out, in the last week of the jury trial the two entities came to decision, the lights are extinguished to those who watch.

Mondelez-Zurich settlement leaves “closer questions”

Violet Sullivan, a cybersecurity and privacy attorney who serves as VP of client engagement for Redpoint Cybersecurity, provided a legal overview to CSOs to better understand the outcome: many of the both sides of the debate on the abolition of war.”

Sullivan said the settlement left investigators with a blind spot, as the trial ended without a decision available to the public to ponder or legal insight into the matter.

“This, along with the recent Merck lawsuit, was based on property policies, not actual internet policies,” Sullivan said. “There are many explanations that are difficult on both sides, but of course there are ongoing questions about what constitutes such cyber activities and when the coverage applies to combative cyber activities.”

Sullivan advises CIOs and CISOs to “work with their online brokers and insurers to fully understand the risk language and policy.” There’s no denying, Sullivan said, that “technical people have realized how difficult it is to fund … and now you have insurance people trying to figure it out, there’s no precedent.”