For important information and updates on COVID-19, please click here.

Cyber as a Peril – Lessons on War Exclusions From NotPetya

April 28, 2022

The possible widescale impact of the Russia-Ukrainian War on cyber policies was explored in a previous Cyber Bulletin. However, how a “War” exclusion may interpret the peril of cyber has some history. A Merck case saw physical damage and interruption from a cyber event amounting to nearly $2 Billion in 2017. How this unfolded provides insight into how courts are interpreting policies and how markets are responding to address ambiguity leading to unintended coverage.

Why is this worth evaluation? Consider the NotPetya ransomware attack on Ukraine by the Russian stated sponsored group, Sandstorm. NotPetya exploited a popular software called MeDoc – Ukraine’s equivalent to TurboTax – as a Trojan Horse and gained undetected access to its customers.

Why does this matter and how does this inform us on cyber as a peril? Merck used MeDoc in the EU, and they were not alone. Other industry giants including an ocean cargo company headquartered in Copenhagen, a food company from Chicago, a consumer goods dealer from England and a shipping magnet from Tennessee.

  • Merck – Top 5 largest life science company had clinical trials interrupted, manufacturing delayed, product lost and nearly 30,000 computers affected.
  • Maersk – Controls about 17% of global container shipping. 22% of its freight terminals were disrupted with 50,000 of its computers and servers needing fixing or replacing.
  • Mondelez – With giant brands like Philadelphia Cream Cheese and Kraft, the food giant controls over 10% of market share in many food categories. Delays in manufacturing and distribution, lost product and loss of over 25,000 computers and servers.
  • Reckitt Benckiser – Maker of a wide variety of consumer goods. Lost production and delayed deliveries across the globe.

The attack was so reckless NotPetya ended up infecting Russian companies, including its state oil giant, Rosneft. Total global losses from NotPetya are estimated at $10 Billion, but that figure could be well below the actual devastation caused.

While cyber is not a new coverage, it is far from mature. In the aftermath of NotPetya, the New Jersey Superior Court sided with Merck regarding interpretation of their property policy’s war exclusion. This resulted in a $1.4 Billion award. Since NotPetya, most insurers have made coverage amendments to control or eliminate cyber coverage in the Property policies, as well as many other policies.

Lessons Learned

  1. Cyber is a peril, not a policy. Make sure you are evaluating “cyber” in ALL your policies.
  2. Widespread cyber events are becoming commonplace. Whether it’s a Zero Day vulnerability or state-sponsored war-like attack, insurers have significant concerns and are beginning to restrict coverage. Review your War exclusions and other widespread cyber event provisions.
  3. How secure are your business partners? Ensure you are evaluating third parties you interact with for their cybersecurity risk as part of the contract negotiations.
  4. Patch quickly. A patch for EternalBlue was released by Microsoft months prior to the NotPetya attack. This patch would have closed the vulnerability. Insurers are sub-limiting exposure and requiring coinsurance where patching is not timely executed.
  5. Segment your network. When all else fails and the virus gains access, segmenting your network can reduce its ability to spread so only a portion of your operations are affected.

For more information on how to ensure you are properly covered in the event of a cyber incident, please contact your Conner Strong & Buckelew account representative.


Cyber Risk

Practice Leader

Edward Cooney, MBA

Partner, Senior Account Executive, Underwriting Manager Public Entity Practice

Practice Leader

Edward Hanna, CIC, CIH

Vice President, Enterprise Risk Management Practice Leader, Senior Account Executive