A settlement was reached last week in a $100,000 lawsuit between Zurich, a global insurance giant, and Mondelēz International, the global food brand behind Oreo cookies and Ritz crackers. The lawsuit, which revolved around Mondelez’s claim to Zurich to cover losses they suffered from the notorious NotPetya attacks of 2018, may reshape the cyber insurance market.
The lawsuit was hinged on Zurich’s denial of claims from Mondelez after the NotPetya malware locked up 1,700 of its servers and a staggering 24,000 laptops, bringing the corporation to a halting grind with more than $100 million in damages. The 2017 NotPetya attacks were linked to Russia-affiliated state threat actors, and Zurich denied Mondelez’s claim, citing an exclusion in their contract for “acts of war”.
It’s clear that what Mondelez and many other corporations were victims of was not an act of war, but “collateral damage” in a much larger geopolitical war that they were not affiliated with, said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “We’re going to need to rethink what act of war means in cyberspace when it comes to insurance,” said Lewis. “The current definitions come out of the 19th century when we had pirates, navies, and privateers.”
To protect themselves from huge payouts, some insurers, like Lloyd’s of London, indicated that they will be excluding coverage for state-backed attacks in policies starting in April 2023. The problem with this approach is that it can have devastating effects on the cyber insurance industry as companies won’t see the benefits in insurance premiums given the sheer volume of state-sponsored cyber activity.
Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that ambiguity in the policy wording regarding “acts of war” cleared the path to the Mondelez settlement. This, she explained, should serve as a warning of caution to underwriters and insurance providers. If there’s one thing everyone agrees on in the cyber insurance market, it’s that transparency and clarity are key to a successful contract.
