Mondelēz International, the global snacking brand behind Oreo cookies and Ritz crackers, has settled a massive 2018 lawsuit against insurer Zurich American over more than $100 million in claims related to the NotPetya cyberattacks.
A multiyear trial, which was close to reaching conclusion before the deal was reached last month, centered on whether the insurer could deny payment due to traditional act of war exclusions. The 2017 attacks, which damaged 1,700 servers and 24,000 laptops at Mondelēz, were linked to Russia-affiliated state threat actors using the EternalBlue exploit.
While specific terms remain confidential, the settlement has reopened fears that attacks linked to Russia's invasion of Ukraine or some other global conflict could lead to a new round of business interruption claims, adding more pressure to insurance providers.
The NotPetya incident involved an attack on Ukrainian tax preparation software, which led to the shutdown of global manufacturing operations of some of the world’s largest multinational companies, according to Katell Thielemann, VP analyst at Gartner.
“This should have been a wakeup call for all years ago,” Thielemann said. “Yet many organizations are just now starting to pay attention to the state of security of their cyber-physical systems in production environments.”
While unable to address the specifics of the Mondelēz case, the development is seen as another indicator of how the clarity of wording in insurance policies is critical to the entire underwriting process, said Sridhar Manyem, director of industry research and analytics at AM Best.
“Lloyds of London has mandated its insurers to exclude catastrophic, state-based cyberattacks from standalone cyber coverage,” Manyem said via email. “Other insurers should be looking closely at losses that were either non intended (silent and non-affirmative) and affirmative cyber losses that may stem from acts of war or state-based actors, which may not have been priced.”
Data released in October from Marsh indicates insurance premium rates are still rising sharply, but the pace of those increases is beginning to moderate. Average insurance rates during the July quarter were up 54%, compared with increases of 133% during the December quarter.
According to Moody’s, loss ratios for cyber insurers fell to 65% at the end of 2021, due to price increases and tighter underwriting standards. The report cites Beazley data showing a cyber loss ratio of 49%, compared with 69% at the end of 2021.
The cyber insurance industry, however, will continue to see major demand for new policy coverage. The market is expected to reach $22 billion by 2025, compared with $9.2 billion at the beginning of this year, according to the Moody’s report, citing data from Munich Re.
S&P notes that insurers have in some cases canceled contracts where policyholders have failed to meet security standards. In other cases insurers have realigned policy terms, increased retention levels or reduced coverage for certain types of losses, particularly in situations involving ransomware or business interruption.
The cybersecurity community and the insurance industry are closely watching the Ukraine war for related attacks against U.S. organizations, however the insurance industry is more focused on what the government may do in response to these attacks.
As Annmarie Giblin, a partner at the law firm of Hinshaw & Culbertson, said speaking prior to the Mondelēz settlement, the cybersecurity community is closely watching Russia-affiliated cyberattacks and the response of the insurance industry.
“Indeed the timing of this conflict is uncanny, as we are on the verge of seeing cyber war being universally excluded from affirmative cyber insurance policies and the wording of those exclusions is still being crafted,” said Giblin in an email. “Thus these new exclusions and how such exclusions are going to be attributed to nation states could be largely influenced by how the U.S. government reacts and responds to these recent cyberattacks.”
The Treasury Department’s Federal Insurance Office and the Cybersecurity and Infrastructure Security Agency in September issued a notice for comments regarding a potential federal backstop for catastrophic insurance losses involving critical infrastructure, Giblin said.
The law firm for Mondelēz declined to comment and Zurich officials did not return requests for comment.
Clarification: This story was updated to clarify Hinshaw & Culbertson’s Annmarie Giblin was referring to cyber insurance at large and not speaking toward the Mondelēz case.