Insurance coverage

Mondelē​​z settlement in NotPetya case reignites concerns over cyber insurance coverage

This audio is generated automatically. Please let us know if you have any comments.

Mondelē​​z International, the global snack brand behind Oreo cookies and Ritz crackers, settled a massive lawsuit in 2018 against insurer Zurich American for more than $100 million in claims related to the NotPetya cyberattacks.

A multi-year lawsuit, which was close to conclusion before the deal was reached last month, focused on whether the insurer could withhold payment due to traditional acts of war exclusions. . The 2017 attacks, which damaged 1,700 servers and 24,000 laptops in Mondelēz, were linked to Russian-affiliated state threat actors using the EternalBlue exploit.

While the specific terms remain confidential, the settlement reignited fears that attacks related to Russia’s invasion of Ukraine or another global conflict could lead to a new round of business interruption claims, adding more pressure on insurers.

According to Katell Thielemann, VP analyst at Gartner, the NotPetya incident involved an attack on Ukrainian tax preparation software, which led to the shutdown of global manufacturing operations for some of the world’s largest multinationals.

“That should have been a wake-up call years ago,” Thielemann said. “Yet many organizations are just beginning to pay attention to the security status of their cyber-physical systems in production environments.”

While unable to address the specifics of the Mondelēz case, the development is seen as another indicator of how clarity of insurance policy wording is critical to the entire underwriting process, Sridhar said. Manyem, director of research and industry analysis at AM. Better.

“Lloyds of London has instructed its insurers to rule out catastrophic state-based cyberattacks stand-alone cyber cover,” Manyem said via email. “Other insurers should look closely at unintentional (silent and non-affirmative) losses and affirmative cyber losses that may result from acts of war or state actors, which may not have been priced.”

Data released in October by Marsh indicate insurance premium rates continue to rise sharply, but the pace of these increases is beginning to moderate. Average insurance rates in the July quarter increased by 54%, compared to increases of 133% in the December quarter.

According to Moody’s, cyberinsurers’ loss ratios fell to 65% at the end of 2021, due to price increases and tighter underwriting standards. The report cites data from Beazley showing a cyber loss rate of 49%, up from 69% at the end of 2021.

The cyber insurance industry, however, will continue to see significant demand for new policy coverage. The market is expected to reach $22 billion by 2025, up from $9.2 billion earlier this year, according to Moody’s report, citing data from Munich Re.

S&P notes that insurers have in some cases canceled contracts where policyholders failed to meet safety standards. In other cases, insurers have realigned policy terms, increased retention levels or reduced coverage for certain types of losses, particularly in situations involving ransomware or business interruption.

The cybersecurity community and the insurance industry are watching the war in Ukraine closely for related attacks on American organizations, but the insurance industry is more focused on what the government can do in response to these attacks.

“Indeed, the timing of this conflict is strange, as we are on the verge of seeing cyber warfare being universally excluded from positive cyber insurance policies and the wording of these exclusions is still being worked out,” Annmarie said. Giblin, partner at the law firm. by Hinshaw & Culbertson. “So these new exclusions and how these exclusions are going to be assigned to nation states could be largely influenced by how the US government reacts and responds to these recent cyberattacks.”

The Treasury Department Federal Insurance Office and the Cybersecurity and Infrastructure Security Agency in September issued a notice of comment regarding a potential federal backstop for catastrophic insurance losses involving critical infrastructure, Giblin said.

Mondelē’s law firm declined to comment and Zurich officials did not return requests for comment.