Multinational law firm DLA Piper is in a dispute with its insurer, Hiscox. Initial reports in The Times said that the claim related to the NotPetya cyber-attacks and that the insurer was citing a war exclusion clause as a reason for non-payment, echoing an earlier contentious case with Zurich Insurance. However In a subsequent phone call with SC Media UK, a Hiscox spokesperson said that this is not correct.
It was confirmed that DLA Piper does not have a cyber-security specific policy and that this is central to the dispute, with the Hiscox spokesperson saying, "They are making a claim which we are disputing. They don’t have the right cover. It’s not a cyber policy and its nothing to do with war exclusion.’
This was followed up with a written statement to SC Media UK in which Kylie O'Connor, head of group communications, Hiscox Partner said, ""The dispute we are in with DLA Piper, is not about a cyber policy and has nothing to do with a war exclusion."
(In view of this information SC Media UK has deleted its initial report and reproduces an edited version below)
It was reported that a ransomware attack wiped out systems at DLA Piper and cost the firm 15,000 hours of extra overtime for its IT staff and that Hiscox won't pay out for the damages and costs associated with the attack which may amount to several million pounds.
A slew of international companies were hit by the NotPetya attack, with Maersk, the world’s biggest container shipper suffering losses of up to US$300 million (£227 million), thus potential insurance claims could be staggering if allowed. As confirmed above, the DLA Piper claim is being made under a general insurance policy rather than a specific cyber-insurance policy, and the non-payment is not due to a war exclusion according to Hiscox.
This is important, because, had it been using a 'war' exclusion clause based on the source of NotPetya being identifed by the UK government as coming from Russia it could potentially have undermined the growth of cyber-insurance since being collateral damage, or even targetted by a state entity, is part of the reality of the current threat landscape. It could also cause governments to be more circumspect in attribution if it risks dragging them into the courtroom for either defence or prosecution.
In relation to the earlier Zurich case when a war exclusion clause was cited as the reason for not paying Mondelez following the NotPetya attacks, at that time, Matthew Webb, Cyber Line Underwriter at insurer Hiscox emailed SC Media to comment: "We think cases such as this, where a customer is trying to claim for a cyber-loss under a policy which is not cyber-specific, highlight the need for specially-designed cyber-insurance policies which protect customers from the potentially devastating impacts of cyber-attacks.
"Cyber is one of the most significant and rapidly-evolving perils facing businesses and individuals today, and it requires specialist underwriting to provide cover that customers know is tailored to their particular needs. Dedicated cyber policies can also provide access to cyber experts who can assist in the event of an attack.
"In this day and age, being insured against the impacts of cyber-attacks is as essential as insuring a car, office or workforce, and being adequately covered should not be left to chance."