Mondelez has sued Zurich for an estimated $100 million claiming that the insurance giant refused payment in damages incurred by the NotPetya cyber attack in June 2017.
The US food giant, which produces Oreo and Cadbury, in documents filed to the court alleges that Zurich, despite initially agreeing to a payment of $10 million, now through its US arm, has refused payment. Mondelez is seeking payment in compensation for the permanent damage to 1,700 of its servers, 24,00 of its laptops and damage to its distribution operations according to The Financial Times.
In response, Zurich claimed that the June 2017 cyber-attack - which followed the Ransomware attacks in March 2017 - inflicted $3 billion worth of damage according to the experts – can be regarded as being a “hostile or warlike action in peacetime or war”. Therefore, this constitutes a war exclusion from the policy with Mondelez, a first in cyber policy history.
Zurich has based their defence on the statements made by the Western Governments after the attack. In February 2018, the UK Government along with the other members of the ‘Five Eyes’, (USA, UK, New Zealand, Australia and Canada) blamed the Russian Government. The White House described the attack as “part of the Kremlin’s ongoing effort to destabilise Ukraine” according to Bloomberg. The jury is out as to whether this line of argument will hold up in court, given the complex nature of cyber attacks.
While the court case will no doubt heat up over the coming months, the more pressing issue for insurers is the use of war exclusion in a cyber policy. As advanced warfare techniques become more complex, technology advances and geopolitics shows no signs of ramping down tensions, this debate will continue for many months and years.