If lawyers moved at even a fraction of the speed that cyber attacks do, the answer in the paragraph above would be somewhat less and this particular case may be somewhat less remarkable.
Let’s start all the way back in June 2017, when attackers released the NotPetya malware. While this may be a household name amongst techies, it may mean diddly squat to Joe and Josephine Bloggs. To put it simply, NotPetya was a rapidly spreading encrypting malware that targeted Windows-based machines. Commonly referred to as the most destructive and devastating cyber attack in history, evidence suggests it was a politically motivated cyber weapon deployed by Russia against Ukraine.
When attackers released the NotPetya malware in June 2017 (with some similarities to its 2016 predecessor Petya), it spread to hundreds of companies, including food manufacturer, Mondelez, in hours. Yet it took more than five years for Mondelez and its insurer, Zurich Insurance, to mop up the legal fallout.
In November 2016, Zurich provided a policy to Mondelez, offering coverage for “all risks of physical loss or damage,” including to electronic data and programs. The coverage explicitly covered losses caused by the operational failure of electronic data processing equipment.
Fast forward eight months or so and NotPetya hit two separate servers at Mondelez, impacting 1,700 servers and 24,000 laptops. Mondelez, which started out as Kraft Foods, is now a multinational holding company that owns brands ranging from Cadbury’s and Fry’s through to Oreo and even Dentyne. The malware attack, which destroyed files with no ability to restore them, cost the firm over $100m (£80m).
Unsurprisingly, Mondelez filed an insurance claim but Zurich denied coverage, citing a clause in its policy that excluded “hostile or warlike action” by government or sovereign powers.
Mondelez argued that applying this exclusion to cyber incidents was unprecedented, and that failing to explicitly exclude cyber attacks made the language too vague to support the exclusion. According to court documents, this led to some to-and-fro between the companies as Mondelez threatened to sue Zurich.
Mondelez’s initial complaint said that Zurich agreed to reverse its decision, consenting to forward a partial payment of $10m to Mondelez but asking for the right to claw some of it back subject to future negotiation. Mondelez said that Zurich conceded to relinquish this claw-back provision when the food giant refused.
Things became more strained when, according to Mondelez, the money didn’t materialise. By October 2018, “MDLZ’s patience had run out, and Zurich knew that,” said the complaint. The insurer reinstated the exclusion, officially denying funds to Mondelez once again. Mondelez took the insurer to court, citing breach of contract along with vexatious and unreasonable conduct. It demanded payment of at least $100m in damages, plus legal costs.
A four-year legal battle ensued. The County Court’s activities list reveals that Zurich sought two summary judgements in late 2021 (meaning that it asked the judge to make an independent decision on aspects of the case). One request concerned the hostile acts exclusion, while the other asked to limit the claim by Mondelez to $50m.
Zurich also repeatedly asked to exclude evidence introduced by Mondelez. This included communications between the food conglomerate and its broker, Marsh USA, evidence relating to other NotPetya claims by Zurich, evidence from Mondelez’s expert reports, and evidence from a report by Kroll, presumably into the NotPetya attack’s effect on Mondelez systems.
“Notably, the contended policies in both the Merck and Mondelez cases were not standalone cyber insurance policies.”
In September 2022, Zurich also asked to exclude evidence that Mondelez wanted to introduce concerning settlement negotiations, indicating that the companies were talking about winding up the case separately.
Around the end of October 2022, the two companies reached a settlement agreement. The last activity in the case is listed on Oct 31. Neither party disclosed the details. When we reached out for comment, Mondelez declined and our request to Zurich went unanswered.
Why did the two companies settle rather than push the case through to a ruling? No one aside from those involved in the secretive case can know for sure, but Josephine Wolff has an idea. The associate professor of cybersecurity and policy at Tuft University’s Fletcher School of Global Affairs points out that this wasn’t the only NotPetya-related case that had been making its way through courts.
“There’s also this very related case happening in parallel, which both sides are watching very closely, that I think plays some role in this,” she says. “I’m just speculating here, but I would guess it was a significant factor in the decision to settle.”
Wolff is talking about a case between Merck and several insurers that was very similar to Mondelez vs Zurich. Merck had suffered damages relating to the NotPetya attack, estimating damages of around $1bn. Like Mondelez, there was no cyber insurance policy, so it claimed against global property and damages coverage held with multiple insurers, including units of Chubb. The insurers invoked a wartime clause in the policy to justify withholding payment.
On 6 December 2021, a New Jersey judge ruled that the war exclusion did not apply to the property policy in the Merck case. Insurers had been using this language for years without any insurer applying it in this context, it argued. It also pointed out that even though cyber incidents have become more common, insurers didn’t change the language to reflect this. “Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare,” the ruling added.
“I think insurers had really been thinking of NotPetya as a little bit of a slam dunk for them because it was so widely attributed to Russia,” says Wolff. The Merck ruling turned that on its head.
Notably, the contended policies in both the Merck and Mondelez cases were not standalone cyber insurance policies. Instead, they were clauses that formed part of a general property policy. Why are companies attempting to secure damages for cyber attacks under these more general policies? Wolff points to two reasons.
The first is coverage size. “Standalone cyber insurance policies are much, much smaller than property casualty policies,” she says. Companies might source policies from multiple insurers to increase that coverage, but it’s arguably impossible to get a billion dollars with a cyber insurance policy. As potential losses from grand-slam cyber attacks increase, attack victims often turn to property and damage claims for relief.
It’s also difficult to separate traditional property damage from the effects of a cyber attack, Wolff points out. Property and damage clauses are designed to cover a broad gamut of risks, and insurers tend not to introduce lots of exclusions to these policies.
“That’s not the model of property and casualty insurance we’ve had for a long time,” she says. “It is much more that this covers all of the risks, except for a few specific exclusions.”
The catch-all nature of property and damage policies raises an industry term known as ‘silent cyber’. This is the risk that if an insurer doesn’t explicitly exclude cyber incidents from a policy, it is open to a cyber claim.
Silent cyber is a big deal for insurers. According to industry analyst AM Best’s June 2022 market segment report covering cyber in property and casualty markets, over half (51.2%) of the industry leaders at the firm’s Review & Preview insurance industry conference didn’t believe that the silent cyber problem could be fully eliminated. Another 39% felt that the industry could deal with it, but that it had a long way to go.
Insurers are trying to clarify the issue by rewriting their language to make it clearer about what is and isn’t covered. In August 2022, Lloyds issued a bulletin requiring standalone cyber-attack policies “to include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack.” That clause takes effect from 31 March 2023.
As insurers seek to manage their exposure to cyber incidents, the stakes are rising. The World Economic Forum and Accenture recently found 86% of business leaders and 93% of cyber leaders predicting a catastrophic cyber event in the next two years as global instability mounts. The Merck and Mondelez cases might have been initial landmark events in the insuring of cyber incidents, but they’re unlikely to be the last.