Quiz Entry - updated: 2026.05.31
What did the NotPetya incident in 2017 demonstrate about cyber risk and insurance?
NotPetya caused ~$10 bn in damages globally — the largest cyber event on record — and exposed the "war exclusion" loophole in most cyber-insurance policies.
The facts:
- 27 June 2017 — wiper malware disguised as ransomware spread via the Linkos MeDoc Ukrainian tax-software update channel.
- Primary intent: Russian state-level action against Ukraine — not a profit motive ("not from experienced cyber operator").
- Spread: ~2 000 companies / organisations across 65 countries.
- Headline damages (selected):
- Merck & Co: ~$870 M (Wired's reported figure was higher; ISACA-cited 2×$300 M)
- FedEx (TNT subsidiary): ~$300 M
- Maersk: ~$300 M, full IT recovery 10 days
- Saint-Gobain: ~€393 M
- Mondelez: $100 M claim — denied under war exclusion
- WPP, Reckitt Benckiser, Evraz, Rosneft, Ukraine PowerGrid, Kiev Airport
The insurance lesson — "Mondelez vs. Zurich":
- Mondelez's policy excluded "hostile or warlike action."
- Zurich invoked it because attribution pointed to a nation-state.
- The case ran for years and ultimately settled — but the message was clear: cyber insurance you bought may not pay for the very event you bought it against if attribution lands on a state actor.
Why this matters for risk management: Transfer as a strategy is only as good as the policy fine print. Read your exclusions.