Mondelez International – the food and beverage multinational company behind Oreo, Ritz crackers, Cadbury chocolate, and Tang drink mix – has settled its lawsuit against its insurer Zurich American Insurance Company over claims that Zurich refused to cover Mondelez’s over $100 million in expenses following the crippling ransomware cyberattack it suffered in 2017.
In June 2017, Mondelez became a victim of the NotPetya ransomware attack when about 1,700 of its servers and 24,000 of its laptops were rendered unusable by the malware. In addition to the loss of hardware, the company also suffered disruptions to its supply and distribution channels, unfulfilled customer orders, and even the theft of credentials from multiple users.
However, Mondelez’s insurer Zurich indicated in 2018 that coverage for the more than $100 million in cyberattack recovery expenses would be denied due to a war exclusion clause, as NotPetya was heavily suspected to be a state-sponsored ransomware campaign from Russia. This led to the food giant suing the insurance company to seek relief for breaches of contractual obligations, and claiming Zurich failed to honor its promises.
The case has since been held as an example of the potential gap in cyber policies.
Specific details of the settlement were not disclosed. The Register reached out to Mondelez for comment, but the food company declined to provide word. A spokesperson for Zurich said that "the parties have mutually resolved the matter."
"I would be willing to bet a lot that, especially the carrier, did not want to publicly reveal what their settlement position is on the applicability of war exclusions, and particularly both sides wanted to avoid a judge making a definitive ruling on that," Theon Technology advisory council member and attorney Bryan Cunningham told The Register.