Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.
Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000 workstations at Mondelez into very expensive bricks.
Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for 100 million dollars.
White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.
The Zurich American policy in questions offers this coverage:
“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
It seems like this attack meets the requirements of this clause.
BUT, what insurance companies giveth, sometimes they taketh.
Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.
One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.
Zurich initially offered Mondelez $10 million to settle but then changed their mind. Why?
Because of another clause in the policy.
There is a clause in their policy (and many others) that has an exclusion for “hostile or warlike action in time of peace or war” by a “government or sovereign power.” The key phrase here is BY a government or sovereign power. Not hackers friendly to one. Not hackers mad at the world. You get the idea.
Security experts and some governments blamed Russia for the attack.
Russia (of course) denied that claim.
So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”. I don’t think it is sufficient to say “well the gov says it is”.
Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry. Possibly the two sides will agree out of court, leaving the question unanswered for future claims.
Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.
This apparently is NOT a common technique to limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.
Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments. Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit? Not clear but stay tuned. Source: The Register .