A second insurer has refused to pay out over the NotPetya cyberattack based on an act of war exclusion, prompting growing concerns for businesses relying on cybersecurity insurance to shield them from damage.
Insurer Hiscox is believed to be refusing to pay a claim by multinational law firm DLA Piper over damage caused by the NotPetya cyberattack, citing the act of war exclusion due to the suspected involvement of the Russian government.
It follows a similar refusal by Zurich to Mondelez, which saw the insurer also decline to pay damages caused by NotPetya due to the act of war exclusion clause. Mondelez is now suing Zurich for $100m over the decision.
NotPetya, which occurred in 2017, was a cyber weapon disguised as ransomware attack that really a disk wiper. It is believed to have been designed to target the Ukranian government and infrastructure companies, but affected businesses across Europe and, to a lesser extent, the US. The cost to businesses is thought to total more than $1.2bn.
In February 2018 the UK government took the unusual step of blaming the attack on the GRU Russian military intelligence agency, suggesting strong confidence in the accusations.
The decision by a second insurer to refuse to pay out NotPetya over the act of war exclusion is of particular concern for businesses because it raises doubts that insurance can provide an effective safety net to cyberattacks – particularly given the increasing role nation states are playing in the cybersecurity arena. Full Story at Verdict.CO.UK