With two cyberattacks labeled as being state-supported – NotPetya and WannaCry attributed to support from Russian and North Korean governments, respectively – insurers and insurance buyers should begin a discussion about the wording of war exclusion in cyber insurance policies.
Reaching the threshold of ‘warlike’ activity will require more than a nation-state acting with malicious intent, says the recent study “NotPetya Was Not Cyber ‘War,’” which was written by cyber practice experts at Guy Carpenter’s sister company Marsh. One continuing discussion for the insurance industry is whether the pervasive war exclusion found in cyber insurance policies could have prevented coverage in the case of NotPetya. Associating the war exclusion with NotPetya arose from two factors:
- the incident caused substantial economic damage;
- the U.S. and U.K. governments attributed the attack to the Russian military. However, the study explains that NotPetya was not a cyber “war” because its consequences did not go beyond economic losses, the victims operated far from any field of conflict and worked purely in civilian tasks, and NotPetya was not a weapon that supported a military use of force.
The debate over whether the war exclusion could have applied to NotPetya – and others like it – demonstrated that if insurers are going to continue including the war exclusion on cyber insurance policies, the wording should be reformed to make clear the circumstances required to trigger it, the study says. Absent that clarification, insurers and insurance buyers must default to the Law of Armed Conflict, including rulings that might be more than a century old, to discern between the categories of criminal activity and warlike actions.
NotPetya was preceded by WannaCry just a month earlier. Together, they affected organizations in more than 150 countries and caused business interruptions and other losses worth over USD 300 million. In addition, the two incidents caused several companies reputational damage and loss of consumer data. Total costs from the incidents potentially rose into billions as companies spent significantly to restore global operations.