LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What did the NotPetya incident in 2017 demonstrate about cyber risk and insurance?

NotPetya caused ~$10 bn in damages globally — the largest cyber event on record — and exposed the "war exclusion" loophole in most cyber-insurance policies.

The facts:

  • 27 June 2017 — wiper malware disguised as ransomware spread via the Linkos MeDoc Ukrainian tax-software update channel.
  • Primary intent: Russian state-level action against Ukraine — not a profit motive ("not from experienced cyber operator").
  • Spread: ~2 000 companies / organisations across 65 countries.
  • Headline damages (selected):
    • Merck & Co: ~$870 M (Wired's reported figure was higher; ISACA-cited 2×$300 M)
    • FedEx (TNT subsidiary): ~$300 M
    • Maersk: ~$300 M, full IT recovery 10 days
    • Saint-Gobain: ~€393 M
    • Mondelez: $100 M claim — denied under war exclusion
    • WPP, Reckitt Benckiser, Evraz, Rosneft, Ukraine PowerGrid, Kiev Airport

The insurance lesson — "Mondelez vs. Zurich":

  • Mondelez's policy excluded "hostile or warlike action."
  • Zurich invoked it because attribution pointed to a nation-state.
  • The case ran for years and ultimately settled — but the message was clear: cyber insurance you bought may not pay for the very event you bought it against if attribution lands on a state actor.

Why this matters for risk management: Transfer as a strategy is only as good as the policy fine print. Read your exclusions.

From Quiz: ISF / Risk Management | Updated: May 31, 2026