This summer marks the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.
Whether or not insurers cover the costs of a cyberattack can depend, in part, on being able to make clear-cut distinctions in this blurry space: When Russian government hackers targeted Ukraine’s electric grid earlier this year, was that an act of war because the two countries were already at war? What about when Russia hacked Ukraine’s electric grid in 2015, or when pro-Russian hackers targeted servers in countries like the United States, Germany, Lithuania, and Norway because of their support for Ukraine? Figuring out which of these types of intrusions are “warlike” is not an academic matter for victims and their insurers—it is sometimes at the heart of who ends up paying for them. And the more that countries like Russia exercise their offensive cyber capabilities, the harder and more critical it becomes to make those distinctions and sort out who is on the line to cover the costs.
When insurers first began offering policies that covered costs related to computer security breaches more than 20 years ago, the promise was that the industry would do for cybersecurity what it had done for other types of risks like car accidents, fires, or robbery. In other words, cyberinsurance was supposed to insulate policyholders from some of the most burdensome short-term costs associated with these events while simultaneously requiring those same policyholders to adopt best practices (seat belts, smoke detectors, security cameras) for reducing the likelihood of these risks in the first place. But the industry has fallen well short of that goal, in many cases failing both to help breached companies cover the costs of major cyberattacks like NotPetya, and to help companies reduce their exposure to cyber risk.
Certainly, cyberinsurance has helped organizations cover the costs of many data breaches and cybersecurity incidents, including, in several cases, large ransoms paid directly to criminals. But when it came to NotPetya—a piece of malware so devastating that the White House later referred to it as “the most destructive and costly cyberattack in history”—victims including the multinational food corporation Mondelez and the pharmaceutical company Merck struggled to recoup their losses from their insurance carriers. Merck filed a lawsuit against several insurers and reinsurers in August 2018, claiming $1.4 billion in NotPetya-related losses, and a New Jersey court ruled in the pharmaceutical company’s favor in December 2021. Mondelez filed a similar complaint against its insurer Zurich in October 2018 for $100 million in a case that is still ongoing. Their insurers argued that because several governments had attributed NotPetya to the Russian government, the cyberattack was a “hostile or warlike action” by a government, and therefore excluded from the companies’ property and casualty coverage under standard war exclusions.
Those exclusions date back long before cyberattacks and have largely not been updated, even as property and casualty policies themselves have expanded to include coverage for damage to data and software caused by malware. NotPetya was the first time that insurers tried to invoke these exceptions to avoid paying for a cyberattack. It was an important test case for the insurers—and their policyholders—because the attack was both expensive and had been so clearly and definitively attributed to a national government by so many countries. That meant there was a lot of money at stake for the insurers and also a plausible argument for them to make that NotPetya was no ordinary run-of-the-mill piece of malware, but instead something akin to, well, war.
The attribution of NotPetya to the Russian government mattered because in past insurance disputes about war exclusions, the question of whether a sovereign power was behind an attack took on great importance. For instance, insurers tried—and failed—to claim that the 1970 hijacking of Pan Am flight 093 by the Popular Front for the Liberation of Palestine (PFLP) was an act of war for insurance purposes. But a court rejected that argument in 1973, in part because the PFLP “was not a de facto government,” and ordered the insurers to pay the full value of the destroyed aircraft: $24,288,759. More recently, in 2014, when Universal had to move filming for its television series Dig out of Jerusalem due to Hamas rocket attacks in the region, the studio’s insurer insisted that the costs of interrupting and relocating the shoot couldn’t be claimed under Universal’s insurance because the attacks fell under the policy’s war exclusion. The insurer lost that case, too, with the Ninth Circuit ruling in 2019 that the war exclusion only applied to “hostilities between de jure or de facto governments.”