This Oreo Lawsuit Might Have Huge Implications for Cyber Insurance

Article Placeholder Image
By Lisa M. Schaffer, Esq. on January 16, 2019 2:48 PM

Lawyers love to haggle over definitions, and insurance companies love to get out of paying out policies. So imagine the conversations brewing over the Oreo-NotPetya lawsuit.

NotPetya is ransomeware that infected millions of computers in 2017, causing $10 billion dollars in damage to companies worldwide. Though the Russian government vehemently denies it, most believe it was the culprit behind creating and disseminating the ransomeware.

Mondelez, the parent company of such delicious brands as Oreo, Nabisco, and Toblerone, was one of the affected companies. Mondelez claimed it suffered $100 million in damages to its hardware and operational software systems, property, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other losses. These damages were presumably covered by its insurance policy with Zurich American Insurance Company, so Mondelez submitted a claim. But that claim still has not been paid out because, according to the insurance company, the cyberattack was an act of war.

Mondelez Had a Malware Clause in Its Active Insurance Policy

Mondelez's policy included coverage for all risks of physical loss or damage to property, including "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction." Ransomeware definitely falls into this definition, so one might think the case was closed. The policy was in effect at the time of the infection, and the the coverage provided for loss or expenses incurred by Mondelez while its business was interrupted from the ransomeware infection. Mondelez thought it was covered. But Zurich attempted to wiggle out.

But Was This an Act of War?

According to Zurich, NotPetya was a "hostile or warlike action" by a "government or sovereign power," namely Russia, and therefore Zurich claims it does not have to pay out on this policy. The insurance company claimed that it is widely believed that NotPetya seemed like ransomeware, but it was actually a Russian cyberattack, which they claims constitutes an act of war. Keep in mind that according to this theory, Russia's target was Ukraine, but the virus spread out of control. Hopefully Russia has different designers for its nuclear weapons.

Lawsuit Ruling Could Have Widespread Effect

Mondelez sued Zurich to force them to pay on the insurance policy. Zurich has its work cut out for itself. It has to prove that Russia was behind this, and that this is enough to trigger the "act of war" exclusion clause.

However, if Zurich is successful, it sets a precedent for other insurance companies that have similar policies to its clients. Those insurance companies would not only escape paying out NotPetya claims, but also all future similar malware claims.

If your insurance company is looking to wiggle out of claims due to your small business, contact an insurance attorney. A legal expert can look through your policy to see if the words contained in the document, coupled with legal precedent, can force the insurance company to pay you what you are rightfully owed. After all, experiencing the loss was undoubtedly bad enough. You pay insurance premiums for instances such as this.

Related Resources: