Petya – Does uncertainty over motive raise coverage issues for insurers?


As new information continues to emerge about Tuesday’s cyber-attack, experts are coming to the view that this may not have been a traditional ransomware attack but rather a ‘wiper virus’ aimed at destroying information.

The objective of ransomware is to extract money from the victim in return for decrypting data. On this occasion, however, the virus made the victim’s data irretrievable by overwriting the master boot record and master file table. Furthermore, the software used in the attack did not contain a ‘personal infection ID’ which would have enabled the attackers to track who was infected and who had paid the ransom.

Interestingly, this virus, unlike ‘WannaCry’, does not appear actively to have looked for vulnerable devices outside the target organisation.

All of this raises the possibility that Tuesday’s events were in fact a targeted attack intended to destroy data which was disguised as a ransomware attack. Certainly, that is a view expressed by the Ukrainians. 65% of the infected systems are Ukrainian and there are other reasons to think that the attack was targeted at that country. The suggestion is that either the Russian Government or Russian separatist rebels in Eastern Ukraine were behind the attack – although the picture is confused by the fact that a number of Russian businesses, including the energy giant Rosneft, were hit.

It may well be that the current attacks do not generate large insurance losses but that will not always be the case. The new information about the attackers’ motive may raise the possibility that the attack was a continuation of the Ukrainian civil war and/or of its undeclared conflict with Russia. If that is the case, it may raise issues as to whether war exclusions will be activated and whether insureds might be looking to war risk covers for any recovery in circumstances of this nature. The answer to these questions will of course involve a careful analysis of the proximate cause to any victim as well as the precise terms of their insurance protection but it is an issue which will have to be addressed.

The virus impacted companies many thousands of miles away from the Ukraine and completely unrelated to any conflict there. Nonetheless, the same proximate cause analysis will need to be conducted in connection with their losses.

Both insureds and insurers will experience significant problems assembling the necessary evidence and proof in relation to these issues and expert assistance may well be necessary.

Simon Cooper