Believed to be the first serious legal dispute over how companies recover costs of a cyber attack

Zurich is facing a $100m lawsuit over a NotPetya claim it apparently refuses to pay.

Mondelez, the US food company that owns the Oreo and Cadbury brands, said it was hit twice by the NotPetya attack, which left 1,700 of its servers and 24,000 laptops rendered ’permanently dysfunctional’.

It is believed that this is the first serious legal dispute over how a company can recover the costs of a cyber attack.

Robert Stines, a cyberlaw specialist at the US law firm Freeborn, told the Financial Times: “It’s a pretty big deal. I’ve never seen an insurance company take this position.

“It’s going to send ripples through the insurance industry. Major companies are going to rethink what’s in their policies.”

The NotPetya attack of summer 2017 had a devastating effect on the computer systems of some major firms across the world, including Maersk, the world’s largest shipping group, causing billions of dollars of damage.

The US has blamed the attack on Russian hackers who were targeting the Ukrainian government.

The Kremlin has denied the allegations.


Industry insiders told Insurance Times that Zurich is disputing the case because the claim was made on a property policy, and not a cyber policy. Had Mondelez claimed on a cyber policy, the claim would have been different.

Mondelez said its policy provided cover for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”.

The food company even said that Zurich initially promised an interim payment of $10m, but then changed its mind and refused to pay.

The reason given was based on an exclusion in the policy for “a hostile or warlike action” by a government or sovereign power or people acting for them.

“It’s a pretty bold move to rely on a war exclusion for a state-sponsored hack. Nobody has raised this exclusion before,” said Sarah Stephens, a cyberspecialist at insurance broker JLT.

“The insurer would have to prove it and it’s so hard to prove attribution.”

Both companies declined to comment as it is currently an ongoing case.