- Mondelez, food manufacturer of Wheat Thins and Chips Ahoy! cookies, is suing its insurer Zurich American Insurance for $100 million for not covering NotPetya-related damages, reports The Financial Times based on court filings.
- NotPetya left 1,700 servers and 24,000 laptops "permanently dysfunctional" after the wiper attack hit Mondelez twice, according to court filings. The food company claims the damages fall under the coverage in its property insurance policy, which includes loss of electronic data, software and physical damage "caused by the malicious introduction" of malware, according to the report.
- Stolen user credentials and customer orders left unfulfilled are also among the damages inflicted by NotPetya that Mondelez is seeking compensation for, reports Bloomberg. However, in June 2018, Zurich American Insurance said it is exempt from fulfilling losses because the cyberattack, NotPetya, occurred during a "time of peace" in a "warlike" fashion.
Mondelez's case is the first to legally challenge the way companies obtain the money needed to resolve an issue caused by a cyberattack, according to The Financial Times. Insurance companies now have to grapple with changing their policies to accommodate more digital liabilities.
The White House confirmed NotPetya as a nation-state attack by the Russian military in February 2018, and Zurich is using that declaration to its advantage. If the courts rule in favor of Zurich and its exclusion policy is sufficient, it is likely to set the tone for other insurance providers. This case has the potential to set precedent for future cyberattack-related disputes with victims and their insurance providers.
Since cybercriminals don't always leave a calling card, attribution is difficult — if not impossible — to confirm. In this case, the federal government identified the culprit, which may work to Zurich's advantage.
Cybercriminals don't act exclusively in times of war. Omitting cyberattacks based solely on that addendum could defeat the purpose of having insurance.