Mondelez, the American food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay a $ 100 million claim for damages caused by the NotPetya cyber attack.
The case will be the first serious dispute over how companies can recover costs cyber-attack, while insurance groups seek to precisely define their responsibilities.
"It's a very big deal. I have never seen an insurance company take this position, "said Robert Stines, cyber-law specialist at the US law firm Freeborn. "It's going to impact the insurance industry. Large companies will rethink the content of their policies. "
NotPetya's attack in the summer of 2017 paralyzed the computer systems of companies around the world, including Merck, the pharmaceutical company, Reckitt Benckiser, the consumer advocacy group, and Maersk, the largest shipping group in the world.
It caused billions of dollars in damage. The United States and the United Kingdom have criticized Russian hackers for attacking the Ukrainian government. The Kremlin denied any involvement.
In court documents filed in Illinois, Mondelez said it was hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered "definitely dysfunctional".
Mondelez requested to cover the costs of its property insurance policy which covered "loss of or damage to electronic data, programs or software, including property damage caused by the malicious introduction of a machine code or computer code." an instruction
According to Mondelez's court documents, Zurich had initially worked to adjust the claim in the usual way and had even promised at one point to make an interim payment of $ 10 million. But later he refused to pay, citing an exclusion in politics for "hostile or warlike action" from a government, sovereign power or people acting for their account.
Mondelez called Zurich's refusal "unprecedented" and demanded $ 100 million in damages. Both companies declined to comment on the case.
"It's a pretty daring decision to rely on a war exclusion for state-sponsored piracy. Nobody had mentioned this exclusion before, "said Sarah Stephens, a cyber-IT specialist with insurance broker JLT. "The insurer should prove it and it is so difficult to prove the attribution".
Rob Smart, technical director of insurance firm Mactavish, said the exclusions for terrorism and war were "a little blurry", but it was unlikely that the perpetrators of the police thought of such attacks during the war. creation of exclusion.
The claim is at the heart of one of the largest insurance sectors. worries about cyberattacks. While the market for insurance policies specific to cyber-businesses is booming, many companies claim cyberattacks on their contracts other than Internet users, as did Mondelez.
Insurers are worried about the full scope of this "silent cyber-exposure", and experts have said that Zurich could test the courts on this point.
"This is a significant loss for a policy other than cybercrime. This is a silent cyber-indemnity and insurers are trying to remove this coverage, "said Stephens.
Nevertheless, the case could have broad implications for the insurance market, potentially pushing insurance buyers to buy cyber-specific policies or to require stricter conditions for their non-cyber coverage.