Mondelez vs Zurich comes as the nascent cyber insurance market continues to develop with increased demand for cyber policies.
The $100m dispute between Zurich and its insured Mondelez, a snack food maker, raises questions about appropriate insurance coverage and effective risk management for cyber risks.
The case underlines a new grey area for insurers and policyholders. Companies are hopeful broad policies will cover cyber risk, while insurers fear cyber exposure on non-cyber policies.
The ruling on the Mondelez-Zurich case is likely to be a landmark for insurers and risk professionals across the globe. The dispute comes as the nascent cyber-insurance market continues to develop, with an increased demand for cyber policies.
How the case unfolded
It was a nightmare. Executives at one of the world’s largest snack companies, Mondelez, watched as 1,700 servers and 24,000 laptops were permanently paralysed by a malware attack.
As a result, the firm was forced to repair and replace equipment, while customer orders went unfulfilled amid chaos in the supply and distribution system.
All told, Mondelez, reasons it was left more than $100m out of pocket as a result of the attack. But executives expected to get it back because they were insured for such a loss. Or so they thought.
After the NotPetya malware devastated many of its systems on 27 June 2017, Mondelez got in touch with its insurer Zurich.
The US-based snack maker, which owns Cadbury, Milka and Toblerone - among a feast of other household names - had a “voluminous” property policy with the US arm of the Swiss insurer.
The one-year policy, which kicked in on 1 November 2016, covered “all risks of physical damage” to Mondelez’ property. Whatsmore, it specifically protected against “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction,” according to court documents.
After filing its claim, Mondelez says it worked with Zurich, providing “voluminous” amounts of information quantifying and substantiating the extent of its losses. It also let the insurer speak to its staff and consultants, who could give a view on how the attack happened.
Meanwhile, Mondelez says, Zurich was telling potential policyholders that the NotPetya attack - so called because it resembled another less serious virus dubbed Petya unleashed a year earlier - was a ransomware scheme and suggesting customers should buy more insurance to cover against such events.
Nevertheless, as the one-year anniversary of the attack neared, Zurich wrote to Mondelez with some bad news. It was refusing to pay the claim.
Zurich says no
It relied on a contractual term buried in the policy documents to justify its decision. And although “Exclusion B.2(a)” may not sound like much, it may just mean that Mondelez doesn’t get paid.
The section reads:
This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this policy, contributing concurrently or in any other sequence to the loss:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
Zurich refused to comment on the case saying it did not discuss confidential claims information. However in a filing responding to the Mondelez claim in an Illinois court, Zurich confirmed that it had denied the claim, citing Exclusion B.2(a).
In a statement emailed to this publication, Michael Barry of the Insurance Information Institute in New York suggested that the exclusion Zurich is relying on to deny the claim under Mondelez’ property policy could also apply to some standalone cyber policies.
“In property insurance, it is common to have policy exclusions incorporated into them for damages incurred by state-sponsored hostile attacks, war, or terrorism,” he said. “There is no standardised cyber insurance policy.”
“Nonetheless, most cyber insurance policies do have a war exclusion,” he went on.
“Yet,” he said, “this exclusion often does not extend to cyber terrorism-related exposures, including state-sponsored hostile attacks.”
The Kremlin connection
There is good reason to think that there was a state actor behind the NotPetya attack, though it is important to note that, like most cyber-attacks, it is yet to be formally proven exactly who was behind the attack.
Both the UK and US have publicly blamed the Russian government for the virus, which is estimated to have wrought about $10bn of damage worldwide and also crippled the likes of Danish shipping giant Maersk and American pharmaceutical maker Merck.
But, Mondelez says, Zurich’s decision to depend on an policy term excluding claims resulting from a “hostile or warlike action” to refuse to pay for a malicious cyber incidents was “unprecedented”.
In addition it says: “The purported application of this type of exclusion to anything other than conventional armed conflict or hostilities was unprecedented’”
“On this basis alone,” Zurich was wrong to refuse to pay the claim, it concludes.
Mondelez claims that the outdated policy language was not designed to specifically exclude cyber incidents from the coverage. As a result, Mondelez says, senior managers at Zurich knew that the decision to refuse the claim was “wrongful and improper”. Zurich denies this.
Allegedly fearful that the snack giant would immediately launch litigation, causing a storm of negative publicity about the insurer’s philosophy around paying cyber claims, Zurich took the unusual step of retracting its letter denying cover for the attack.
Instead, Zurich said it would continue to adjust Mondelez’ claim and offered a $10mn advance, which the snack giant says was an attempt to stop it from suing the insurer.
And it worked, although Mondelez did not receive the cash advance, it held back from filing a suit against the insurer. But then on 9 October when “patience had run out” at Mondelez, Zurich wrote to the firm, again denying coverage for the NotPetya virus under the property policy. The following day, Mondelez filed its claim.
Responding, Zurich denied all of the substantive allegations made by Mondelez. Both firms have called for a jury trial to decide whether the claim is covered.
The case continues.