One year after the costliest cyberattack in history, debate continues as to whether NotPetya was “warlike” and whether the ubiquitous war exclusion found in cyber insurance policies could have prevented coverage.
NotPetya malware began spreading rapidly in June of 2017. It resembled the Petya ransomware in that it encrypted master files and demanded a Bitcoin ransom to restore access to those files, but it was far more dangerous because it could spread independently and it could encrypt pretty much any file beyond repair. The attack inflicted significant economic damage on several companies.
The attack’s focus on the Ukraine and its specific timing – it struck just before Constitution Day, when Ukraine celebrates its independence – led many to point the finger of blame at the Russian military, citing low-level conflict between the two countries after the occupation of Crimea in 2014 as the trigger. The US and UK governments supported this accusation.
“Everyone is aware of nation state hacking. The ultimate question is: at what point does a nation state cyberattack reach a level of severity that it enters the realm of cyber warfare?” said Matthew McCabe, assistant general counsel for cyber policy at Marsh.
“Certainly, in the case of NotPetya there were statements by the US and UK governments attributing the attack to the Russian military, but we can’t rush to judgment without ignoring the many other factors that come into play. Was NotPetya carried out by cyber privateers that acted without the instruction of any nation state government? What was the intent behind the attack? Did it support military purpose or was there an act of propaganda?”
McCabe addresses these questions and more in a new Marsh insight article entitled ‘NotPetya Was Not Cyber “War”’ in which he analyzes legal precedent to conclude that, despite the attack’s significant impact, NotPetya did not meet the criteria for “warlike” activity, and therefore does not trigger the war exclusion in cyber policies.
In the report, he states that in order for a cyberattack to escalate to “hostile and warlike” activity, its consequences must go beyond economic losses. He points back to when President Obama labelled a similar nation state cyberattack - which inflicted no physical damage but still proved very costly for a US company – as “an act of cyber vandalism.” For an attack to fall within the scope of the war exclusion, “there should be a comparable outcome, tantamount to a military use of force,” McCabe wrote.
“If a non-physical damage cyberattack facilitates additional warlike activity, such as troop movements or more hostile activity, then I would call that a hybrid attack,” McCabe told Insurance Business. “But in the instance of NotPetya, the attack caused serious concerns for private industry, but it didn’t challenge our national security, which is why it’s at the level President Obama spoke about with ‘cyber vandalism’.
“A war exclusion has never been triggered on a cyber policy. This is because we’re dealing with a ‘round peg in a square hole’ scenario in that the insurance industry has borrowed concepts and language from marine insurance policies written a century ago to address the new and quickly developing theory around cyber warfare. Markets and insureds have been asked to interpret this language in the context of cyber war. The real point of my article is to point out that there are too many voices reaching a conclusion of ‘warlike’ activity too quickly, without considering precedent and history.”