Oreo Maker Settles With Insurer Over NotPetya Damages ClaimWhen A Cyberattack Is Cyberwar Still Being Litigated Five Years After NotPetya Wave
A four year court battle over whether the NotPetya attack was, for insurance purposes, an act of war came to a close in a Chicago courtroom even as other legal fights over when a cyber incident is an act of war remain unresolved.
Mondelez International - maker of Oreo cookies, Ritz crackers and Tang fruit-flavored powder - sued Zurich Insurance Group in 2018 after the underwriter refused the food manufacturer's claim under an all-risk property policy of at least $100 million in damages stemming from the malware wave.
In a terse statement, Zurich Insurance Group confirmed that litigation in Illinois state court between the two parties ended in late October. “The parties have mutually resolved the matter," a spokesman said.
Mondelez did not respond to a request for comment. Law360 reported Judge Mary Roberts granted from the bench a motion put forward by the two sides to permanently dismiss the lawsuit, with each side to bear their own costs. The motion came just before closing arguments were set to start in a jury trial already in its second week.
In its 2018 complaint, Mondelez said Zurich denied coverage on a policy for physical loss or damage - including electronic data - by invoking a clause excluding damages caused by "hostile or warlike action."
The litigation has been closely tracked in the cybersecurity and insurance communities for how it'll affect corporate approaches to cyber risk. Insurance marketplace Lloyd's of London earlier this year told underwriters to start excluding coverage for cyberattacks linked to war or state-caused catastrophic attacks. The extent to which destructive attacks launched by nation-state hacking groups can be excluded from coverage without depressing the market for cyber insurance is unclear, given how NotPetya demonstrated that an attack intended for specific targets can quickly spiral out control and the generally lower threshold for expressions of nation-state aggression in virtual versus physical space. The U.S. government in September initiated a study into whether it should provide a backstop or other mechanism for ensuring that cyberattacks with catastrophic consequences don’t go uninsured (see: US Government to Study Cyber Insurance Backstop).
"I definitely think you will see policy holders much more weary of paying a lot of money for this kind of coverage if it's not going to include state-backed cyberattacks," said Josephine Wolff, a Tufts University academic who studies the cyber insurance market. A win for insurers that excludes insurer liability for nation-state cyber attacks would also provoke more litigation over attribution, she told Information Security Media Group. NotPetya's clear attribution to Russia is a rarity among cyber incidents, she noted.
NotPetya was intended by Russian military intelligence as an attack targeted against Ukrainian businesses via a tax accounting application widely used in the Eastern European country. It instead spread across the globe, with damages commonly estimated at around $10 billion. A Kremlin spokesman in 2018 contested the malware's Russian attribution, telling media that attributions to Moscow by the U.K. government and other U.S. allies were part of a "Russophobic campaign."
Federal prosecutors in 2020 indicted six Russian military officers in connection with NotPetya and other hacking incidents (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?).
Mondelez says the malware reached two of its servers housed at different physical locations and at different times and ultimately permanently disabled 1,700 servers and 24,000 laptops.
Attorneys for Zurich asserted that Mondelez's IT infrastructure was "collateral damage" of Russia's longstanding aggression against Ukraine, Law360 reported.
Mondelez is not the only major American company that found claims for NotPetya damages denied by an insurer invoking exclusions for warlike action. Pharmaceutical giant Merck has been locked in litigation since 2018 in New Jersey state court against its insurers after it attempted to claim $1.4 billion worth of damages from its property insurance providers. Judge Thomas Walsh in December ruled for Merck in a decision stating that the company "had every right to anticipate that the exclusion applied only to traditional forms of warfare."
Mondelez attorneys may have paid attention to the ruling, Wolff said, calling the decision a possible motive for the settlement.
The Merck case is still open, with insurance defendants having quickly filed an appeal.