June 2017 saw one of the world’s most costly malware outbreaks ever.
The NotPetya ransomware, initially spread via a malicious automatic update to a popular Ukrainian accounting software tool, hit companies around the world including advertising giant WPP, household goods manufacturer Reckitt Benckiser, FedEx subsidiary TNT Express, and international shipping logistics company Maersk.
Shipping conglomerate Maersk later estimated that the NotPetya ransomware cost them as much as $300 million in lost revenue. Reckitt Benckiser, the firm behind such brands as Nurofen and Durex, blamed the malware attack for a $100 million loss in revenue.
Certainly not chump change.
One of those organisations hit by NotPetya was multinational law firm DLA Piper. The business, with a presence in over 40 countries, reportedly had a “flat network structure globally”, allowing every data centre and Windows-based server on its network to be impacted by NotPetya.
Wiping its systems and starting again must have been costly, even before you start counting the 15,000 hours of extra overtime it reportedly paid its IT staff.
So, it’s no surprise to hear that DLA Piper is interested in claiming back some of that expense from its insurers, Hiscox.
As The Times reports today, DLA Piper has started proceedings against Hiscox, saying that the insurance firm has failed to pay out for the damages and costs associated with the NotPetya attack - a claim which may amount to several million pounds.
From the sound of things, Hiscox is refusing to pay up because of the “act of war” exclusion clause commonly found in insurance policies. The UK government, you may recall, has officially stated that the Russian military was “almost certainly” behind the NotPetya attack.
A similar spat has recently broken out along the same lines between a firm (confectionary giant Mondelez) that was hit by the NotPetya ransomware, and an insurer (Zurich Insurance) that is declining to pay up.
I don’t know what type of insurance policy DLA Piper had with Hiscox, but as we discussed in a recent edition of the “Smashing Security” podcast, it appears that Mondelez may not have specifically had a cybersecurity insurance policy with Zurich but instead a property insurance policy that excluded warfare.
It will be interesting to see what comes out of the current dispute between DLA Piper and Hiscox, but my advice for other companies is that they should check their insurance policies’ small print and adjust as necessary.
After all, I suspect your business wouldn’t like to find out it’s not covered for a malware attack because it’s caught in the crossfire as countries launch digital attacks against each other.