{
	"id": "add9f424-2fab-494a-a10d-1b2a28dc458d",
	"created_at": "2026-04-06T00:20:05.90854Z",
	"updated_at": "2026-04-10T03:21:38.035408Z",
	"deleted_at": null,
	"sha1_hash": "a0e13df356f8b2dba18eae8c3fdf30a7ed945865",
	"title": "Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90346,
	"plain_text": "Mondelez and Zurich reach settlement in NotPetya cyberattack\r\ninsurance suit\r\nBy Alexander Martin\r\nPublished: 2022-12-22 · Archived: 2026-04-05 14:43:16 UTC\r\nMondelez International and Zurich American Insurance reached a settlement late last week in their multi-year\r\nlegal battle over the food company’s $100 million claim regarding damage from the NotPetya cyberattack in 2017.\r\nThe insurer had initially refused to cover the damage to Mondelez, which in court documents attested it lost more\r\nthan 1,700 servers and 24,000 laptops to the malware. Details of the final settlement have not been disclosed.\r\nNotPetya was a destructive attack which masqueraded as ransomware, and reportedly caused more than $10\r\nbillion in global damages. While it encrypted its victims’ machines and left a demand for a ransom payment, it\r\nwas not actually designed to be decrypted.\r\nThe malware used an exploit which allowed the virus to spread automatically through trusted networks. It had first\r\nbeen introduced into a popular Ukrainian accounting company’s software but quickly spread beyond Ukraine to\r\nhit numerous other countries and companies, including Mondelez and Merck.\r\nMondelez, the multinational corporation behind Oreos, Ritz crackers, and dozens of other snack food brands, did\r\nnot respond to The Record for comment. A spokesperson for Zurich Insurance said they could only provide a short\r\nstatement in response: “The parties have mutually resolved the matter.”\r\nThe case between the two was complex because Mondelez had not taken out an explicit cyber insurance policy but\r\na property policy that it argued covered cyberattacks. \r\nZurich claimed in response that the damage caused by NotPetya was excluded from this policy on the grounds it\r\nwas a \"hostile or warlike action\" conducted by a \"government or sovereign power.\"\r\nThe settlement will “fuel growth for the cyber insurance market,” according to Billy Gouveia, the chief executive\r\nof incident response business Surefire Cyber.\r\n“As cyber risk remains a top concern for businesses, it is important for organizations to prepare and protect\r\nthemselves on all fronts,” he told The Record, referencing a range of preparations from incident response planning\r\nthrough to insurance.\r\nCraig Dunn, the head of Cyber M\u0026A Insurance EMEA for Aon, told The Record he didn’t think the settlement\r\nwas “much of a surprise.”\r\n“In short, the policy was not a cyberinsurance policy — it was a property policy that provided some cover for\r\ncyber events — and Zurich was in a bit of hot water while Mondelez felt like they were in a fairly strong\r\nposition.”\r\nhttps://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/\r\nPage 1 of 4\n\nDunn, who previously led Hiscox Europe’s cyberinsurance business, explained that NotPetya left the whole\r\nmarket feeling the war exclusions included in most policies were not fit for purpose. Lloyds of London recently\r\nled an effort to revamp these exclusions and find some kind of solution that balanced the needs of the customers\r\nand the insurance market.\r\nThe exercise involved different insurers and brokers who ultimately came up with four different exclusions that\r\ncan be used to reject claims for state-based attacks in different ways.\r\n“Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast\r\nmajority of insurers are adopting variants where the intention is to only exclude nation state attacks that form part\r\nof an armed conflict or impact the underlying functioning of a state. In short, the intention is generally not to\r\nexclude something like North Korea hacking Sony back in 2014,” said Dunn.\r\nWhile one of the exclusions would not cover incidents like the Sony hack, Dunn said “most insurers realize this\r\ndoes not meet their clients’ needs and are happy to provide cover for events that impact individual companies.\r\nThis important detail was missed by previous reporting.”\r\nAct of War?\r\nThe settlement follows earlier this year a New Jersey court ruling in favor of Merck, which had sued its insurer,\r\nAce American, for refusing to cover the damages it suffered because of NotPetya.\r\nIn that case, the court dismissed Ace Americans’ defense that the attack was an “Act of War” and therefore\r\nexcluded by the insurance contract. Merck’s lawyers successfully argued that “Acts of War” as defined in the\r\ncontract referred exclusively to “official state actions,” which the NotPetya attack did not count as.\r\nThe United States and United Kingdom have attributed the NotPetya malware to the Russian Federation, with the\r\nNational Cyber Security Centre finding the Russian military was “almost certainly responsible” — the highest\r\nconfidence rating the intelligence agency gives. The Kremlin has repeatedly denied it orchestrated the attack.\r\nNotPetya highlighted the risks that a catastrophic cyberattack could pose for the insurance industry, which could\r\nfind itself without the capital to support claims.\r\n“There are a lot of concerns about aggregation of risk. Unlike in property insurance where insurers can diversify\r\nrisk by simply ensuring they don’t insure too many homes or businesses in one geographical region – the same\r\ncannot be said of cyber,” explained Dunn.\r\nPart of the problem is a lack of diversity within the technology sector, with so many businesses using Windows\r\nand relying on cloud services provided by a limited number of vendors, Dunn said, “meaning risk can’t be\r\ndiversified based on geographical location, so insurers must be careful not to take on too much risk.”\r\nThe four different exclusions which Lloyds had come up with included the concept of an impact state, where the\r\nonly losses excluded will be those that are incurred within a war zone or within the state where the critical national\r\ninfrastructure has been severely damaged. “Losses suffered in other countries, where critical national\r\ninfrastructure (CNI) remains operational and where no state of war exists, would be covered,” explained Dunn.\r\nhttps://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/\r\nPage 2 of 4\n\n“For instance, if a company operating both inside and outside of Ukraine is attacked today by the Russians and\r\nthey happened to have this version of the war exclusion in their cyber insurance policy, then any losses incurred as\r\na result of their IT infrastructure being taken out inside of Ukraine, which is in a state of war and as such is an\r\n‘impacted state,’ would be excluded,” he said.  “However, if their operations in the U.S. or U.K. are also impacted,\r\nany losses stemming from this would be covered, since the U.S. and U.K. are outside of the war zone and have not\r\nsuffered attacks against their CNI.”\r\nNo previous article\r\nNo new articles\r\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nhttps://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/\r\nPage 3 of 4\n\nSource: https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/\r\nhttps://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/"
	],
	"report_names": [
		"mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434805,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0e13df356f8b2dba18eae8c3fdf30a7ed945865.pdf",
		"text": "https://archive.orkl.eu/a0e13df356f8b2dba18eae8c3fdf30a7ed945865.txt",
		"img": "https://archive.orkl.eu/a0e13df356f8b2dba18eae8c3fdf30a7ed945865.jpg"
	}
}