Is insurance coverage for cyber claims barred by a war exclusion?  Judy Selby and Peter McLaughlin asked this question in a recent post for IAPP.

Two corporate giants, Mondelez International and Merck, made the headlines recently as they sustained serious damage as a result of a NotPetya infection, an encrypting ransomware. They have each filed declaratory judgments after their carriers denied their claims. Reports of these insurance disputes have led to concerns that cyber incidents involving state actors would not be covered by cyber policies with war exclusions.

The Verizon 2019 Data Breach Investigations Report attributes 23% of breaches  to nation-states or state-affiliated players. “These state-sponsored attacks typically range from theft or espionage to financial gain; however, some attacks appear to have been driven by grudge or by swatting a neighbor,” Selby and McLaughlin write.

“[P]erhaps we are viewing this through an old lens. Insurance has often been purchased to address hazards. Specifically, an organization obtains a policy to counter the slim risk of a fire, flood or other catastrophe. Fred Kaplan wrote an article for Slate in April in which he argues the inevitability of attacks – state-sponsored or otherwise – means that we should view cyber insurance more like we do health insurance: coverage against the inevitable, rather than against a hazard risk.”

Read on for what else Selby and McLaughlin had to say here.