Mondelez, Zurich American Insurance Company Settle Claim Lawsuit Over NotPetya Infection
Mondelez International has settled a lawsuit it brought against the Zurich American Insurance Company for the insurer’s refusal to pay a $100 million claim over a cyberattack. Mondelez International’s IT systems became infected with the NotPetya malware in 2017. The company says it incurred costs in excess of 100 million due to damaged hardware and operational software systems, supply and distribution disruptions, and other losses.
As usual, the cost of avoiding this incident was likely much lower than the costs Mondelez incurred – even after achieving this settlement with their insurer. No details on how much Zurich paid Mondelez in the settlement, but most likely less than $100M. Plus Mondelez paid the insurance premiums with a deductible, and for 5 years of legal costs. The biggest impact to their bottom line is not those costs - in 2020, Mondelez had over $25B in revenue/turnover and almost $5B in profit. The biggest impact to profit was that they failed to protect their customers from being impacted.
You may not have heard of Mondelez, but you know their brands: Oreo Cookies, Sour Patch Kids candy, Ritz Crackers, etc. One of the topics being debated is whether this an act of war, (aka nation state attack) which would then invalidate the insurance claim. While the policy appeared to cover much of the damage incurred, the insurer was focused on NotPetya being Russian APT in origin, (originally used against Ukraine by the Sandworm APT) and therefore a nation state attack; what is not clear is if the collateral damage was also the actions of the APT. With efforts to tighten up insurance language, make sure that you not only tabletop this type of scenario, but have engaged legal counsel to both carefully review your most current policy and are prepared to defend your case. Include contingencies for an extended settlement timeframe, which you hopefully won't need.
We will likely never know the terms of the settlement but suffice it to say, adherence to essential cyber hygiene practices would have limited the costs of cleanup and recovery for Mondelez. Insurers over the past 24 months, have moved to require basic cybersecurity practices and evidence of such practices before establishing a cybersecurity policy. It remains to be seen whether the application of war exclusion clause, for which Zurich denied the claim, will continue to be included in future cybersecurity policies.
Poorly written insurance contracts create what the insurance industry calls a “moral hazard;” they invite people to assign to underwriters risk that, in the absence of such contracts, would be cheaper to mitigate.