Oreo Cookie Parent Company Sues Insurance Carrier Over NotPeyta
Cyber liability insurance or general coverage? That’s the dispute between Mondelez and Zurich over the payment of a claim for a NotPetya attack where Modelez was a victim. Mondelez is the US food company that owns the Oreo and Cadbury brands and it alleged that it was hit twice by NotPetya in 2017, with 1,700 of its servers and 24,000 laptops rendered “permanently dysfunctional”. Mondelez submitted a claim for the cost for the loss of hardware on its property insurance policy that provided coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”. Despite initially saying it would pay, at least part of the claim, Zurich denied the loss under a hostile or warlike exception to the policy.
See the U.S. and U.K. believed that Russia was responsible for the attack so Zurich denied the claim. Wow. That’s amazing given there is no real evidence, only speculation, that Russia was responsible. Also, normally insurance companies cover the losses to hardware when there is an attack, even a cyber related attack. But in this instance Zurich did not want to pay and now Zurich has to prove it was Russia that perpetrated the attack and it fits with in the “hostile or warlike” exception under the policy.
That’s going to be difficult to do and I suspect Zurich will eventually lose the battle. However, the precident that it will create will be quite interesting, as much as insurance companies want to sell those cyber insurance policies, they only want the income from the perceived protections they provide, they do not actually want to pay out!