Background
In June 2017, a devastating cyberattack known as NotPetya swept across the globe. Initially disguised as ransomware, NotPetya was later determined to be a wiper malware—its true purpose was to destroy data, not hold it for ransom. It primarily targeted organizations in Ukraine but quickly spread worldwide, affecting numerous multinational corporations, including Mondelez International, the parent company behind well-known brands like Oreo, Toblerone, and Cadbury.
Mondelez was severely impacted. The malware took down:
- Over 1,700 servers
- Approximately 24,000 laptops
- Global operations, including manufacturing, sales, and distribution functions
The company estimated the financial damage to be in excess of $100 million, with significant disruption to its business continuity, production lines, and logistics.
Insurance Coverage and Denial
Mondelez had a comprehensive property and casualty policy with Zurich Insurance Group, which included provisions for cyber-related incidents. Initially, Mondelez filed a claim under this policy, expecting coverage for the massive losses it had incurred due to the malware attack.
However, Zurich denied the claim, invoking the policy’s “war exclusion clause.” This clause typically excludes coverage for damage resulting from war, invasions, insurrections, or hostile acts by sovereign powers. Zurich argued that NotPetya was a state-sponsored cyberattack attributed to the Russian government and thus fell under this exclusion.
This marked the beginning of a protracted legal battle, as Mondelez contested the denial, arguing that the clause was intended for traditional, kinetic warfare, not cyberattacks — especially those that cause collateral damage to unintended victims like private companies.
The Myth Busted
Myth: Cyber insurance covers all losses from a breach.
Reality: Many policies contain exclusions that limit coverage, especially for sophisticated attacks.
This case highlights a critical truth: cyber insurance does not automatically protect an organization from all losses related to a cyber event. In fact, many policies:
- Exclude state-sponsored attacks
- May not cover insider threats
- Often exclude regulatory fines and penalties from data protection authorities
- Have vague or outdated language that doesn’t reflect the current cyber threat landscape
Implications for Organizations
- Assumptions can be dangerous: Simply having a cyber insurance policy does not mean you’re covered for all incidents.
- Policy language matters: Definitions of “war,” “cyberterrorism,” and “hostile acts” must be scrutinized carefully.
- Business continuity vs. insurance: Cyber insurance should *complement, not replace, your risk management strategy.
- Legal ambiguity: The lack of precedents in cyber insurance claims means insurers and organizations often end up in litigation, increasing costs and recovery time.
Lessons Learned
- Review insurance coverage regularly with legal and cybersecurity teams.
- Request clear confirmation on whether state-sponsored attacks and regulatory fines are covered.
- Push for tailored policies that align with your threat model and industry-specific risks.
- Treat insurance as just one layer in a broader cybersecurity posture.
