March 27, 2019

NotPetya act of war exclusion spreads to second insurer

By Lucy Ingham

A second insurer has refused to pay out over the NotPetya cyberattack based on an act of war exclusion, prompting growing concerns for businesses relying on cybersecurity insurance to shield them from damage.

Insurer Hiscox is believed to be refusing to pay a claim by multinational law firm DLA Piper over damage caused by the NotPetya cyberattack, citing the act of war exclusion due to the suspected involvement of the Russian government.

It follows a similar refusal by Zurich to Mondelez, which saw the insurer also decline to pay damages caused by NotPetya due to the act of war exclusion clause. Mondelez is now suing Zurich for $100m over the decision.

NotPetya, which occurred in 2017, was a ransomware attack that encrypted infected file systems, forcing those affected to pay a ransom demand in Bitcoin or permanently lose the affected data.

It is believed to have been designed to target the Ukranian government and infrastructure companies, but affected businesses across Europe and, to a lesser extent, the US. The cost to businesses is thought to total more than $1.2bn.

In February 2018 the UK government took the unusual step of blaming the attack on the GRU Russian military intelligence agency, suggesting strong confidence in the accusations.

NotPetya act of war exclusion raises concerns for businesses

The decision by a second insurer to refuse to pay out NotPetya over the act of war exclusion is of particular concern for businesses because it raises doubts that insurance can provide an effective safety net to cyberattacks – particularly given the increasing role nation states are playing in the cybersecurity arena.

“Even those with comprehensive cyber insurance coverage are far from guaranteed to be able to recover the costs of a cyberattack,” commented Anjola Adeniyi, Technical Leader, EMEA at Securonix.

“This most recent dispute between Multinational law firm DLA Piper and their insurance firm Hiscox over the damages associated with the NotPetya attack is the most recent example of the ‘act of war’ exclusion clause being at the centre of an insurance dispute.”

For businesses, there therefore needs to be a greater focus on avoiding such attacks rather than relying on pay outs to make the company whole when they happen.

“The increasing difficulties facing companies who try and claim insurance following a cyberattack is highlighting the growing need to implement preventative strategies,” added Adeniyi.

“Whilst many companies will fall victim to a ransomware attack, one of the first steps they need to take is to ensure it doesn’t happen again. Computer systems need to be up-to-date on security patches, networks monitored for infections and employees educated on cyber hygiene.”