Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
PHOTO: Bloomberg/Bloomberg/Bloomberg via Getty Images
Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
Now playing
02:18
How to protect yourself from hackers
small business loans
small business loans
Now playing
02:45
Funding delays leave small businesses in limbo
Mandatory Credit: Photo by JUSTIN LANE/EPA-EFE/Shutterstock (11700603g)
Pedestrians walk past a closed store in New York, New York, USA, on 08 January 2021. The United States' Bureau of Labor Statistics released data today showing that the US economy lost 140,000 jobs in December and that the unemployment rate is at 6.7 percent as businesses continue to struggle with the economic impact of the coronavirus pandemic.
Coronavirus Economy Impact, New York, USA - 08 Jan 2021
PHOTO: Justin Lane/EPA-EFE/Shutterstock
Mandatory Credit: Photo by JUSTIN LANE/EPA-EFE/Shutterstock (11700603g) Pedestrians walk past a closed store in New York, New York, USA, on 08 January 2021. The United States' Bureau of Labor Statistics released data today showing that the US economy lost 140,000 jobs in December and that the unemployment rate is at 6.7 percent as businesses continue to struggle with the economic impact of the coronavirus pandemic. Coronavirus Economy Impact, New York, USA - 08 Jan 2021
Now playing
01:30
Another 745,000 Americans filed for first-time unemployment benefits
PHOTO: YouTube/Everyday Astronaut
Now playing
01:19
Watch SpaceX Mars prototype rocket nail landing, explode on pad
Now playing
02:55
Marriott CEO: We want travelers to feel safe
CHICAGO, ILLINOIS - JANUARY 15: Demonstrators participate in a  protest outside of McDonald's corporate headquarters on January 15, 2021 in Chicago, Illinois.  The protest was part of a nationwide effort calling for minimum wage to be raised to $15-per-hour. (Photo by Scott Olson/Getty Images)
PHOTO: Scott Olson/Getty Images
CHICAGO, ILLINOIS - JANUARY 15: Demonstrators participate in a protest outside of McDonald's corporate headquarters on January 15, 2021 in Chicago, Illinois. The protest was part of a nationwide effort calling for minimum wage to be raised to $15-per-hour. (Photo by Scott Olson/Getty Images)
Now playing
03:31
What a $15 minimum wage really looks like
PHOTO: MyHeritage
Now playing
01:01
Watch old photos come to life using AI
Now playing
01:19
Warren proposes wealth tax: 'It's time for them to pay a fair share'
Nigerian former Foreign and Finance Minister Ngozi Okonjo-Iweala smiles during a press conference on July 15, 2020, in Geneva, following her hearing before World Trade Organization 164 member states' representatives, as part of the application process to head the WTO as Director General. (Photo by Fabrice COFFRINI / AFP) (Photo by FABRICE COFFRINI/AFP via Getty Images)
PHOTO: FABRICE COFFRINI/AFP/Getty Images
Nigerian former Foreign and Finance Minister Ngozi Okonjo-Iweala smiles during a press conference on July 15, 2020, in Geneva, following her hearing before World Trade Organization 164 member states' representatives, as part of the application process to head the WTO as Director General. (Photo by Fabrice COFFRINI / AFP) (Photo by FABRICE COFFRINI/AFP via Getty Images)
Now playing
04:05
WTO Chief: We need equitable and affordable access to vaccines
Goya Foods President Robert Unanue speaks at a press conference with Carlos Vecchio, the Venezuelan Ambassador who is recognized by the United States on December 21, 2020 in Doral, Florida. The two held the press conference to discuss details of a recent shipment of humanitarian aid to Venezuela, donated by Goya Foods. (Photo by Joe Raedle/Getty Images)
PHOTO: Joe Raedle/Getty Images
Goya Foods President Robert Unanue speaks at a press conference with Carlos Vecchio, the Venezuelan Ambassador who is recognized by the United States on December 21, 2020 in Doral, Florida. The two held the press conference to discuss details of a recent shipment of humanitarian aid to Venezuela, donated by Goya Foods. (Photo by Joe Raedle/Getty Images)
Now playing
03:24
Goya CEO under fire for false Trump election claims
Now playing
01:23
'There should be no threats': Biden's message to union-busters
Misinformation Trump Capitol March rn orig_00004630.png
Misinformation Trump Capitol March rn orig_00004630.png
Now playing
04:08
These Trump supporters are convinced he will be president again on March 4
Now playing
01:36
Michael Bolton wants you to break up with Robinhood
Now playing
01:57
Fed chief downplays inflation concerns
Now playing
04:34
See what has happened to Trump's DC hotel after his loss
Now playing
01:41
Meet the 29-year-old cancer survivor set to make history in space
(CNN Business) —  

Cyberattacks are a nightmare for chief executives. To make matters worse, their insurers may refuse to pay up for damage the hackers do to their business.

A dispute between food and beverage giant Mondelez and Zurich Insurance (ZURVY) shows just how much is at stake. Mondelez has filed a lawsuit in Illinois that accuses the insurance company of refusing to cover losses it suffered as a result of the NotPetya cyberattack.

The attack swept across the world in June 2017, infecting networked computers at companies including advertising group WPP (WPPGF), drugmaker Merck (MKGAF) and global shipping company FedEx (FDX).

Mondelez (MDLZ) said in October 2018 that the attack cost it at least $114 million. But according to the lawsuit, Zurich Insurance has cited a “war exclusion” and refused to cover the losses.

The ‘war exclusion’

The United States and the United Kingdom have blamed the NotPetya attack on Russia, suggesting that it was part of an effort to destabilize Ukraine.

In its lawsuit, Mondelez claims that Zurich Insurance subsequently refused to compensate it for losses suffered in the attack, citing a contract exemption for a “hostile or war like act” by any “government or sovereign power.”

Zurich Insurance declined to comment on the dispute, saying it does not give details about individual policies. Mondelez also declined to comment.

The case could prove to be an important test for both companies and insurers, and help to establish when policyholders should be compensated for a cyberattack.

Rising threat

Executives in Europe, East Asia and North America say cyberattacks are the number one risk facing their companies, according to a survey published in November by the World Economic Forum.

Yet many companies do not have insurance that specifically covers cybercrimes, relying instead on general “all-risk” policies.

“Many of these all-risk policies may not even mention cyber, they were not designed to cover cyber,” said Christine Marciano, CEO of insurance broker Cyber Data Risk Managers.

“They were written at a time when nobody could have predicted that these attacks would happen,” she said.

Marciano said the insurance industry is closely watching legal actions such as the one filed by Mondelez to see whether more general policies should cover cyberattacks.

Contagious attacks

The nature of cyberattacks present real risks for insurers, as well as their clients.

Domenico del Re, an insurance expert and director at PwC, said insurers are most worried about systemic cyberattacks on the scale of NotPetya because they can simultaneously affect multiple clients across the world.

“This is what is different about cyber,” he said. Other risks, like theft or kidnapping, are unlikely to affect multiple clients at the same time, he added.

The damage can also be extensive.

“There is a myriad of ways in which a cyberattack can cause financial loss — actual physical loss to the IT equipment, claims from third parties whose data was lost, fines, fraudulent transactions,” del Re said.

That means that an insurance company could be on the hook for physical and financial losses, as well as damage to users and clients caused by data theft.

Data issues have become even more pressing after the General Data Protection Regulation (GDPR) came into effect last year in Europe. The law can mean huge fines for companies.

This could happen to you

“Companies that used to have the mindset of ‘this can’t happen to me’ …. are now starting to realize this is something they can’t be without,” said Marciano.

Limited data on the damage caused by major cyberattacks makes it difficult for insurance companies to model and price policies.

Mondelez said its $114 million in losses were caused by property damage and disruptions to its business. It said in October that NotPetya had destroyed 1,700 of its servers and 24,000 of its laptops.

Equifax (EFX), which was also hit by a huge hack in 2017, said its damages exceeded $350 million. Insurance has so far covered $95 million, it said in its most recent quarterly financial report.