Illustration: Lazaro Gamio/Axios

Insurers are pointing to clauses that exempt war-related damage from being covered in order to reject claims related to state-backed cyberattacks, notes a new report from the Carnegie Endowment for International Peace.

Why it matters: This “war exclusion” raises “doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents,” the report says.

Where it stands: Insurers’ use of this exclusion is currently being litigated, says the report, as a result of claims made after the catastrophic 2017 NotPetya incident, which led to an estimated $10 billion in losses across the globe.

Flashback: The NotPetya virus, which was Russian in origin, was aimed at disrupting and destroying Ukrainian online infrastructure, but soon infected systems worldwide.

The big picture: Some insurers’ “novel use of the war exclusion” in refusing to reimburse companies for nation-state cyberattack-related losses has helped contribute to an unsettled cyber insurance marketplace, says the Carnegie Endowment.

  • “Three years after NotPetya, it is still unclear how insurance can or should cover state-sponsored cyber incidents and other large-scale cyber risk. This fundamental uncertainty continues to inhibit the development of robust, socially beneficial cyber insurance markets,” says the report.

What’s next: The report suggests insurers could craft a new, more tailored "exclusion for cyber catastrophes," as well as a separate exclusion for "cyber losses arising from kinetic war" — that is, cyberattacks that accompany a conventional armed conflict between states.

Go deeper

Bryan Walsh, author of Future
Oct 7, 2020 - Technology

Protecting a smarter electrical grid against cyberattacks

Illustration: Eniola Odetunde/Axios

A smarter, more connected electrical grid is more efficient and more resilient against natural threats — but more vulnerable against cyberattacks.

Why it matters: As electricity shifts to more distributed and intermittent renewable sources, updating the grid has become a necessity. But unless cyber defense keeps pace, digitizing the grid will also open up new points of approach for cyber threats.

Ransomware victims may be penalized for paying up, says Treasury

Illustration: Aïda Amer/Axios

Victims of ransomware attacks who pay criminals to release their data may be held liable for violating U.S. sanctions — even if they don’t know the true identity of their tormentors, advised the Treasury Department in a bulletin last week.

Why it matters: The move could doubly punish the victims of ransomware attacks.

Updated 29 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Politics: The swing states where the pandemic is raging — Pence no longer expected to attend Barrett confirmation vote after COVID exposure.
  2. Health: 13 states set single-day case records last week — U.S. reports over 80,000 new cases for second consecutive day.
  3. Business: Where stimulus is needed most.
  4. Education: The dangerous instability of school re-openings.
  5. World: Restrictions grow across Europe.
  6. Media: Fox News president and several hosts advised to quarantine.