Oct 7, 2020 - World

Report highlights key flaws in cyber insurance

A computer repelling a cyber attack and splintering it into pieces
Illustration: Lazaro Gamio/Axios

Insurers are pointing to clauses that exempt war-related damage from being covered in order to reject claims related to state-backed cyberattacks, notes a new report from the Carnegie Endowment for International Peace.

Why it matters: This “war exclusion” raises “doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents,” the report says.

Where it stands: Insurers’ use of this exclusion is currently being litigated, says the report, as a result of claims made after the catastrophic 2017 NotPetya incident, which led to an estimated $10 billion in losses across the globe.

Flashback: The NotPetya virus, which was Russian in origin, was aimed at disrupting and destroying Ukrainian online infrastructure, but soon infected systems worldwide.

The big picture: Some insurers’ “novel use of the war exclusion” in refusing to reimburse companies for nation-state cyberattack-related losses has helped contribute to an unsettled cyber insurance marketplace, says the Carnegie Endowment.

  • “Three years after NotPetya, it is still unclear how insurance can or should cover state-sponsored cyber incidents and other large-scale cyber risk. This fundamental uncertainty continues to inhibit the development of robust, socially beneficial cyber insurance markets,” says the report.

What’s next: The report suggests insurers could craft a new, more tailored "exclusion for cyber catastrophes," as well as a separate exclusion for "cyber losses arising from kinetic war" — that is, cyberattacks that accompany a conventional armed conflict between states.

Go deeper