Snack maker Mondelez is suing Zurich North America for $100 million in a lawsuit that could bring big changes to the way multinationals deal with their insurance coverage.
Mondelez is suing the Swiss insurer for declining to foot the cleanup bill after the company was hit by the infamous NotPetya cyberattack in summer 2017, according to the Financial Times. Zurich argued that the attack was an ‘act of war’ and therefore not covered under the policy.
The global snack company said it lost 1,700 servers 24,000 laptops as a direct result of the cyberattack. The NotPetya malware was designed to encrypt files on users’ computers, and then users would be asked to pay a ransom in bitcoin to decrypt the files, thus classifying the incident as a ransomware attack.
In its full-year 2017 results, Mondelez said that “the malware affected a significant portion of the company’s global Windows-based applications and its sales, distribution and financial networks across the company.”
By the end of December 2017, the company incurred a total of $124 million, among them $30 million in incremental expenses as a result of the incident and $84 million as part of the recovery effort.
Earlier in its second-quarter 2017 results, Mondelez stated that its net revenues decreased by 5% because of the incident and currency headwinds. In addition, the incident caused a 2.7% decrease of its ‘Organic Net Revenue’ – defined as net revenues excluding the impacts of acquisitions, divestitures, and other business operations and financial costs.
Zurich rejects Mondelez claim
After having completed its own investigation, Zurich rejected the claim and decided not to pay up, citing an ‘act of war’ exclusion clause in the insurance policy. The clause is a standard and commonly terms used in policies by insurers to limit their exposures.
The exclusion usually states that a policy would not cover losses as results of:
“hostile or warlike hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack by any government or sovereign power.”
In this case, the Russian government is the sovereign power that Zurich refers to, while backing its argument with the White House and other Western countries statements.
Indeed, on February 2018 the US government officially placed the blame on Russia, calling it “the most destructive and costly cyber-attack in history.”
The White House statement also said that the attack was “part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”
Ukraine was the first country hit, the malware quickly spread beyond that country to infect computers at companies across the globe.
Robert Stines, cyber law specialist at US-based law firm Freeborn, told the Financial Times “It’s a pretty big deal. I’ve never seen an insurance company take this position,”
Stines added “It’s going to send ripples through the insurance industry. Major companies are going to rethink what’s in their policies.”
However, the Russian government has formally denied any involvement in the cyberattack. In a conference call with reporters, Kremlin spokesman Dmitry Peskov called the allegations groundless and said it was part of a “Russophobic” campaign by Western governments, according to Reuters.
Not surprisingly, Mondelez disagrees and called Zurich’s move ‘unprecedented’, partly because claiming an act of war would require Zurich to prove that the Russian government was the main perpetrator.
Global insurance and risk management firm, Marsh & McLennan, too considers that NotPetya was not ‘warlike’ and should not trigger the war exclusion.
The case, filed in Illinois court (2018-L-011008), is reportedly the first legal dispute concerning how businesses can recover costs arising from cyberattacks.
Needless to say, this will be watched closely by the insurance industry globally.