Mondelez’s cyberinsurance policy covered “physical loss or damage to electronic data, programs, or software” with “the malicious introduction of a machine code or instruction”.
Now, Zurich’s refusal to pay, relying on an exclusion in the policy for
“hostile or warlike action in time of peace or war […] by a government or sovereign power or people acting for them”,
Apart from the direct consequences to the victim NotPetya, the Zurich decision opens two main questions that European cybersecurity stakeholders should tackle before the issue becomes a serious problem for the whole cybercommunity:
- How far and under which conditions a cyberattack can be considered a war act?
- Which authority can judge, as independent authority, if a cyberattack can be considered a war act?
Let us know your opinion on this development in the cyberinsurance landscape by joining our next workshop on “Insurance in Cyber-security”, to be held in March in Milan (Italy): keep following us to know more.
This article has been written by project member ZenaByte. ZenaByte is a spin-off of the DIBRIS Department of the University of Genoa whose main object is the development of innovative methodologies for intelligent management, interpretation and extraction of knowledge from data.