Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Zurich Rejects Mondelez’ $100 Million NotPetya Insurance Claim Citing ‘Act of War’

In October 2018, Mondelez International filed suit against Zurich American Insurance Company. At stake is a $100 million insurance claim for damage caused by NotPetya.

In October 2018, Mondelez International filed suit against Zurich American Insurance Company. At stake is a $100 million insurance claim for damage caused by NotPetya. Zurich has rejected the claim, and Mondelez — owner of the Oreo, Cadbury, Milka and Toblerone brands — is suing for breach of (cyber insurance) contract.

Mondelez (NASDAQ: MDLZ) has an insurance policy with Zurich for “all risks of physical loss or damage”, including “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction…”

In June 2017, Mondelez succumbed to NotPetya, along with many others. It “rendered permanently dysfunctional approximately 1700 of MDLZ’s servers and 24.000 of its laptops… MOLZ incurred property damage, commercial supply and distribution disruptions. unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000.”

NotPetya was a destructive malware introduced to the servers of Ukraine accounting software firm M.E.Doc. It was a supply chain attack that infected organizations using M.E.Doc software and then spread via the NSA-linked EternalBlue exploit. Since it also impacted multinational companies trading in Ukraine, it spread further into the wider world — including to Mondelez.

Zurich Rejects NotPetya Insurance Claim from ModelezIn March 2018, Zurich was classifying NotPetya as ransomware, and was even using it as a reason for taking out cyber insurance. But on June 1, 2018 it wrote to Mondelez saying it was denying the claim. The reason was the fairly standard ‘act of war’ exclusion in many insurance policies. 

Specifically, the Zurich policy excludes “loss or damage” caused by a “hostile or warlike action in time of peace or war” by any “(i) government or sovereign power…; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”

It seems that between March and June 2018, Zurich changed its classification of NotPetya from a criminal act to an act of war. This is the centerpiece of the legislation, and revolves around two questions that are hotly debated in cybersecurity: how can you definitively attribute the source of a malware attack; and when does a cyber incident become an act of war.

Belief is irrelevant. Most people accept that NotPetya was sourced by Russian state-affiliated actors, and that it was an act of war against Ukraine that spilled out into the wider world. Proving that to the satisfaction of a court of law is a different matter.

Russia has denied any involvement. But first the UK government, and then the remaining Five Eyes nations of the U.S, Canada, Australia and New Zealand, have all blamed Russia. The U.S. statement, dated February 15, 2018, says, “In June 2017, the Russian military launched the most destructive and costly cyber-attack in history… It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”

On the surface, this statement supports Zurich’s exclusion of the Mondelez claim. But there are two weaknesses: firstly, intelligence agencies rarely provide proof of their assertions, and haven’t done so here. It raises the arguable possibility that this is a political statement rather than a proven fact. It does happen. Reports on Saddam Hussein’s nuclear intentions and other weapons of mass destruction are an example.

Secondly, failures in accurate attribution are not uncommon. Within the last week, ransomware (Ryuk) that had previously been linked with North Korea is now being linked with a “Russian-speaking actor”.

Perhaps the safer approach to government assertions of responsibility is to wait for actual indictments. Where this happens, the government is likely to be confident in the proof it has and is willing to make those assertions in open court, if the perpetrators are ever arrested.

In recent weeks, the U.S. has indicted two Iranians for the SamSam attacks, and two Chinese government hackers for the Cloud Hopper attacks.

Against this background to the Mondelez/Zurich case is the wider issue of the value of cyber insurance. If Zurich wins the case, will it mean that any malware attack that is ascribed to state actors can be excluded as an act of war? Whether accurately or not, a growing number of major cyber-attacks are being attributed to state-affiliated actors from countries such as Russia, China, Iran and North Korea. Where this is proven — or at least accepted by the courts — the Zurich exclusion clause would be validated.

It is fundamentally a question of attribution — a problem that has not been solved. It may, however, provide a home for the independent, international panel of experts proposed by Microsoft in its ‘Norms‘ paper. Insurance companies would be more likely to accept an independent ruling than governments.

Related: The United States and China – A Different Kind of Cyberwar 

Related: Talking Global Cyberwar With Kaspersky Lab’s Anton Shingarev

Related: Talking UK Cyberwar With Sir David Omand 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet