The U.S. Department of Justice in October announced criminal charges against six Russian nationals for a string of cyber crimes, including attacks on electricity distribution facilities in Ukraine and the 2017 NotPetya wiper malware attacks. That was good news for international efforts to bring cyber criminals to justice - but it may have been bad news for corporations bitten by attacks like NotPetya, who have been looking to cyber insurance carriers to help defray the costs of recovering from that incident.
As this article over at Dark Reading notes, insurers' efforts to avoid payment of cyber insurance claims gained more weight with the indictments, which resonate with insurers' claims that attacks like NotPetya were an "act of war" not covered by their policies.
Damages from those attacks are at the heart of major lawsuits that are pending against insurance companies. Merck brought a $1.3 billion legal action against its insurers while the food and beverage firm Mondelez brought a $100 million lawsuit against its insurer, Zurich Insurance related to NotPetya costs, as well.
"The indictment underscores the general principle here that from a practical perspective, insurance is not a get-out-of-jail-free card," says Crabtree. "It should be considered a supplement to your own financial risk calculations."
Organizations need to expect push back from insurers and take steps to clarify the extent of coverage before- rather than after a damaging and costly event has taken place.
"So if you want coverage from a cyber event, don't count on your normal building policy. Don't count on a general business interruption policy," Crabtree is quoted saying. "Explicitly buy cyber coverage...if the policy does not start with the word 'cyber,' then you shouldn't count on it being there when you need it."
Read the full article at Dark Reading.