Mondelez case prompts cyber warning

Risk professionals have stressed the importance of effective cyber risk plans and proper insurance coverage, following the high-profile dispute between food giant Mondelez and Zurich.

The case underlines a new grey area for insurers and policyholders. Companies are hopeful broad policies will cover cyber risk, while insurers fear cyber exposure on non-cyber policies. The ruling on the Mondelez-Zurich case is likely to be a landmark for insurers and risk professionals across the globe. The dispute comes as the nascent cyber-insurance market continues to develop, with an increased demand for cyber policies.

How the case unfolded

It was a nightmare. Executives at one of the world’s largest snack companies, Mondelez, watched as 1,700 servers and 24,000 laptops were permanently paralysed by a malware attack.

As a result, the firm was forced to repair and replace equipment, while customer orders went unfulfilled amid chaos in the supply and distribution system.

All told, Mondelez, reasons it was left more than $100m out of pocket as a result of the attack. But executives expected to get it back because they were insured for such a loss. Or so they thought.

After the NotPetya malware devastated many of its systems on 27 June 2017, Mondelez got in touch with its insurer Zurich.

The US-based snack maker, which owns Cadbury, Milka and Toblerone - among a feast of other household names - had a “voluminous” property policy with the US arm of the Swiss insurer.

The one-year policy, which kicked in on 1 November 2016, covered “all risks of physical damage” to Mondelez’ property. Whatsmore, it specifically protected against “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction,” according to court documents.

What Petya?

After filing its claim, Mondelez says it worked with Zurich, providing “voluminous” amounts of information quantifying and substantiating the extent of its losses. It also let the insurer speak to its staff and consultants, who could give a view on how the attack happened.

Meanwhile, Mondelez says, Zurich was telling potential policyholders that the NotPetya attack - so called because it resembled another less serious virus dubbed Petya unleashed a year earlier - was a ransomware scheme and suggesting customers should buy more insurance to cover against such events.

Nevertheless, as the one-year anniversary of the attack neared, Zurich wrote to Mondelez with some bad news. It was refusing to pay the claim.

Zurich says no

It relied on a contractual term buried in the policy documents to justify its decision. And although “Exclusion B.2(a)” may not sound like much, it may just mean that Mondelez doesn’t get paid.

The section reads:

This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this policy, contributing concurrently or in any other sequence to the loss:

(i) government or sovereign power (de jure or de facto);

(ii) military, naval, or air force; or

(iii) agent or authority of any party specified in i or ii above.

Zurich refused to comment on the case saying it did not discuss confidential claims information. However in a filing responding to the Mondelez claim in an Illinois court, Zurich confirmed that it had denied the claim, citing Exclusion B.2(a).

In a statement emailed to this publication, Michael Barry of the Insurance Information Institute in New York suggested that the exclusion Zurich is relying on to deny the claim under Mondelez’ property policy could also apply to some standalone cyber policies.

“In property insurance, it is common to have policy exclusions incorporated into them for damages incurred by state-sponsored hostile attacks, war, or terrorism,” he said. “There is no standardised cyber insurance policy.”

“Nonetheless, most cyber insurance policies do have a war exclusion,” he went on.

“Yet,” he said, “this exclusion often does not extend to cyber terrorism-related exposures, including state-sponsored hostile attacks.”

The Kremlin connection

There is good reason to think that there was a state actor behind the NotPetya attack, though it is important to note that it is yet to be formally proven exactly who was behind the attack. Both the UK and US have publicly blamed the Russian government for the virus, which is estimated to have wreaked about $10bn of damage worldwide and also crippled the likes of Danish shipping giant Maersk and American pharmaceutical maker Merck. 

But, Mondelez says, Zurich’s decision to depend on an policy term excluding claims resulting from a “hostile or warlike action” to refuse to pay for a malicious cyber incidents was “unprecedented”.

In addition it says: “The purported application of this type of exclusion to anything other than conventional armed conflict or hostilities was unprecedented’”

“On this basis alone,” Zurich was wrong to refuse to pay the claim, it concludes.

Mondelez claims that the outdated policy language was not designed to specifically exclude cyber incidents from the coverage. As a result, Mondelez says, senior managers at Zurich knew that the decision to refuse the claim was “wrongful and improper”. Zurich denies this.

Allegedly fearful that the snack giant would immediately launch litigation, causing a storm of negative publicity about the insurer’s philosophy around paying cyber claims, Zurich took the unusual step of retracting its letter denying cover for the attack.

Instead, Zurich said it would continue to adjust Mondelez’ claim and offered a $10mn advance, which the snack giant says was an attempt to stop it from suing the insurer.

And it worked, although Mondelez did not receive the cash advance, it held back from filing a suit against the insurer. But then on 9 October when “patience had run out” at Mondelez, Zurich wrote to the firm, again denying coverage for the NotPetya virus under the property policy. The following day, Mondelez filed its claim.

Responding, Zurich denied all of the substantive allegations made by Mondelez. Both firms have called for a jury trial to decide whether the claim is covered.

The case continues.

Why risk managers should care

Eamonn Cunningham, an Australia-based independent risk consultant, says risk managers need to focus on a traditional risk management approach to cyber before looking at insurance: “It may be a new risk but the approach to its treatment, while a little more challenging, is pretty much the same as you would adopt for your traditional risks.”

Cunningham said broad insurance coverage — or even dedicated cyber policies — may not be enough on their own: “Many people simply adopt the view that you need a cyber policy to cover cyber risks. That is probably too simplistic a position to adopt. At the other end of the spectrum, there are risk managers who will hope to rely on broader wording in their property and casualty policies to get them across the line in seeking a risk transfer solution for cyber exposures.”

Cunningham said companies should conduct thorough risk mitigation plans before looking at insurance: “The more time you invest in understanding the shape and form of this risk and figure out how it could impact you, the better chance you will have in formulating a risk mitigation plan. Be detailed and deliberate in your work, don’t rush it and you will be glad you took your time. Looking at something as new as this requires some scenario planning. Finding answers to the multitude of ‘what if’ questions will lead to a more resilient result.”

Cunningham warned risk managers to carefully review their policy wording: “When you eventually get to considering risk transfer to market solutions; as a matter of course you should take a hard look at the coverage clauses, and at the same time stress test relevant exclusionary language.”

Hans Læssøe, founder of risk management consultancy Aktus, believes the Mondelez case underlines the dangers of relying on insurance: “We are back in the not so unusual situation, where the openness and willingness of the insurance company is one thing, when you buy an insurance, and something quite different when you wish to/need to draw upon this. I have seen the same thing with credit risk insurance, where the first indicator a customer/partner was in trouble was the insurance company informing you, that “they would not cover losses incurred by future orders” – which essentially makes the concept of credit risk insurance a joke.”

Læssøe adds: “You should not buy insurance “because you can”, but because the incident will hamper you beyond your risk tolerance. You are not insuring cyber – you are insuring your business.”

Susie Jones, CEO of cybersecurity risk specialist Cynch, says risk managers should not rely on broad coverage for cyber claims. “Relying on property to cover cyber incident is not a very wise risk management decision. The main intention of the Zurich policy is not to cover cyber incidents, and that is how they have gotten themselves into this issue. If you’re looking for coverage for cyber incidents, you really need a cyber insurance policy that covers you for property damage,” she adds.