Mondelez sues Zurich over $100m cyberhack insurance claim

Zurich refused to pay out for NotPetya attack, relying on war exclusion

A Cadbury chocolate egg production line. Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, over a NotPetya cyberattack claim. Photograph: Simon Dawson/Bloomberg
A Cadbury chocolate egg production line. Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, over a NotPetya cyberattack claim. Photograph: Simon Dawson/Bloomberg

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100 million claim for damage caused by the NotPetya cyberattack.

The case will be the first serious legal dispute over how companies can recover the costs of a cyberattack, as insurance groups seek to tightly define their liabilities.

“It’s a pretty big deal. I’ve never seen an insurance company take this position,” said Robert Stines, a cyberlaw specialist at the US law firm Freeborn. “It’s going to send ripples through the insurance industry. Major companies are going to rethink what’s in their policies.”

The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group.

READ MORE

It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government. The Kremlin has denied any involvement.

‘Permanently dysfunctional’

In court papers filed in Illinois, Mondelez said it had been hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered "permanently dysfunctional".

Mondelez made a claim for the costs on its property insurance policy that, it said, provided cover for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”.

According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10 million interim payment. But it later refused to pay, relying on an exclusion in the policy for “a hostile or warlike action” by a government or sovereign power or people acting for them.

Mondelez described Zurich’s refusal as “unprecedented” and is seeking $100 million in damages. Both companies declined to comment on the case.

“It’s a pretty bold move to rely on a war exclusion for a state-sponsored hack. Nobody has raised this exclusion before,” said Sarah Stephens, a cyberspecialist at insurance broker JLT. “The insurer would have to prove it and it’s so hard to prove attribution.”

Rob Smart, technical director at the insurance consultancy Mactavish, said exclusions for terrorism and war were “a bit of a grey area” but that it was unlikely that the policy’s authors would have had such cyberattacks in mind when inserting the exclusion.

Biggest worries

The claim gets to the heart of one of the insurance industry’s biggest worries about cyberattacks. While there is a booming market for cyber-specific insurance policies, many companies make claims for cyberattacks on their non-cyber policies, as Mondelez has done.

Insurers are concerned about the full extent of this so-called “silent cyber exposure”, and experts said Zurich could be testing the courts on this point.

“It is a large loss on a non-cyber policy. This would be a silent cyber claim and insurers are trying to weed out that coverage,” said Ms Stephens.

Nevertheless, the case could have wide implications for the insurance market, potentially pushing insurance buyers to either buy cyber-specific policies or demand tighter terms for their non-cyber coverage. – Copyright The Financial Times Limited 2019