Cyber Insurance NotPetya Lawsuit: Mondelez Sues Zurich
U.S. snack food company Mondelez International has filed a $100 million lawsuit against Zurich Insurance — stemming from losses and damages related to the June 2017 NotPetya ransomware attack, according to The Register.
The lawsuit raises fresh questions about how cyber insurance companies cover — and don’t cover — customers that suffer cyberattacks. Mondelez lost 1,700 servers and 24,000 laptops due to NotPetya, The Register reported. The company also recorded a 5 percent drop in quarterly sales due to NotPetya-related shipping and invoicing problems.
Zurich initially offered $10 million to cover Mondelez’s NotPetya claim, The Register indicated. However, Zurich later rescinded its offer, citing NotPetya as a “hostile or warlike action in time of peace or war” by a “government or sovereign power.”
Mondelez was protected against “all risks of physical loss or damage,” according to its Zurich cyber insurance policy. The company also was covered against “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
NotPetya was “the most destructive and costly cyberattack in history,” according to the White House. It was launched as part of the Kremlin’s effort to destabilize Ukraine.
A Closer Look at NotPetya
NotPetya infected computers across more than 100 countries over the course of a few days. The malware disguised itself as the Petya ransomware to gain administrator access to thousands of computers globally.
In addition to Mondelez, NotPetya affected a variety of global organizations, including:
- FedEx: Global courier delivery services company FedEx estimated that NotPetya resulted in $300 million in lost business and cleanup costs.
- Beiersdorf: Beiersdorf, a German consumer products provider, suffered a financial loss in the first half of 2017 due to shipping and production delays caused by NotPetya computer and system outages.
- Maersk: Container shipping company Maersk has attributed at least $300 million in financial losses to NotPetya.
NotPetya has cost organizations at least $1.2 billion in combined quarterly and yearly revenue, endpoint detection and response (EDR) provider Cybereason indicated. Furthermore, cyber risk analytics platform company Cyence has estimated that insurance companies would need to pay $81.7 billion to cover the total costs of claims related to NotPetya and other cyberattacks.
It is important to point out that the subject insurance policy was a global property insurance policy and NOT a stand alone cyber insurance product. Cyber insurance can overlap several insurance policies including property & crime insurance…none of which is considered adequate coverage for all cyber related claims.
Jeff: Thanks for adding your perspectives and sharing your comments. We’ll be sure to keep those thoughts in mind as we pursue potential follow-up coverage on this legal case.