Zurich reaches settlement with Mondelez over NotPetya hack

Zurich American Insurance and Mondelez have reached a settlement in their multi-year battle over the food company’s $100m claim over damages it suffered in the NotPetya cyberattack of 2017.

Details of the final settlement have not been disclosed.

Zurich had initially refused to pay for the claim, which was made under a property policy that covered property damage rather than an explicit cyber insurance policy. 

A Zurich spokesman issued a short statement upon request that only said: ““The parties have mutually resolved the matter.” Mondelez did not respond to a request for comment.

Mondelez attested in court it lost more than 1,700 servers and 24,000 laptops to the malware.

The high-profile case has (many argue unfairly) raised doubts among clients about the reliability of the insurance industry, and for that reason has been an annoyance for cyber brokers and underwriters around the world.

NotPetya was a destructive attack which masqueraded as ransomware, and was one of the most destructive cyber events in history. A White House assessment put the damages caused by NotPetya at $10bn, only a small fraction of which was insured.

The malware was first introduced into a Ukrainian accounting company’s software but quickly spread around the world, hitting many major companies including Mondelez, FedEx, Saint-Gobain, and German pharma giant Merck.

In January this year a New Jersey court ruled in favour of Merck, which estimated that it suffered more than $1.4bn in losses from NotPetya. Merck's insurer, Ace American, had refused to pay out on the grounds that NotPetya was an instrument of war created by Russia as part of its intimidation campaign against Ukraine.

"Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare," the court decided. It even noted that "no court has ever applied a war (or hostile acts) exclusion to anything remotely close" to the NotPetya attack.

Lloyd’s has made big efforts to exclude cyber risks from property policies and hive them off into a separate cyber market. 

At the same time, the corporation has pushed to exclude losses arising not just from war as it's traditionally understood but also from any state-backed cyber attacks that "significantly impair the ability of a state to function".

From Lloyd’s perspective, the corporation will be satisfied if carriers adopt the sample war exclusions published last November by the Lloyd’s Market Association, a body representing Lloyd's underwriters.

Previous
Previous

Opinion: Hurricane Ian Shows Why Cyber Reinsurers Should Have Bought ILWs Years Ago: Is It too Late?

Next
Next

Lloyd’s ‘best-placed’ to mature cyber class: Patrick Tiernan