Zurich and Mondelez Reach NotPetya Settlement, but Cyber-Risk May Increase

Written by

Zurich American Insurance and Mondelez International have settled their dispute over the confectionary giant’s $100m claim related to the 2017 NotPetya cyber-attack.

The lawsuit, widely considered a test case for property war exclusions concerning cyber-attacks, settled before the four-year-long case ended in the Illinois state court.

“This widely publicized case between Zurich and Mondelez International has paved the way for how future insurance claims relating to nation-state breaches will be handled,” Julia O’Toole, CEO of MyCena Security Solutions, told Infosecurity.

According to court documents seen by Law360, the parties have mutually resolved the matter, but details of the settlement were not provided.

Mondelez initially tried to claim roughly $100m in losses related to the 2017 NotPetya events under its 'all-risk' property insurance. The malware reportedly damaged 1700 of its servers and 24,000 laptops, disrupting distribution and customers.

Zurich, in turn, invoked the policy’s war exclusion, which excluded loss or damage caused by or resulting from hostile or warlike action by any government or sovereign power or their agents (since NotPetya threat actors were associated with Russia).

The attack against Mondelez, therefore, triggered action by insurers to eliminate silent cyber coverage within traditional insurance policies.

“In the last few months, insurers announced changes to policies to exclude nation-state cyber-attacks, a move which was spurred by the court battles they faced against Mondelez and Merck,” O’Toole added.

According to the executive, insurers can no longer afford to cover cyber negligence, and a big focus for them in the coming months will be around network access and network segmentation.

“They are going to want to see organizations getting better control over their user access credentials, so they are not so easy for attackers to steal,” O’Toole said.

To do so, companies should focus on segmentation strategies and ensuring that even when credentials fall into the wrong hands, a criminal can’t travel through the corporate network and siphon off data because the network is segmented through encryption.

“When organizations are not following these approaches in the future, they may struggle to get insurance or find their current policies are no longer valid,” O’Toole concluded.

The settlement comes months after a report by Marsh suggested many organizations will miss out on cyber insurance in 2023.

What’s hot on Infosecurity Magazine?