In 2017, Russia’s military shocked the world by launching the most damaging cyberattack in history, a $10 billion global incident called NotPetya. Insurers felt this shock sharply, and the tremors still reverberate today. NotPetya showed that cyber risk is greater than many had thought, with global aggregation potential—and that insurance coverage remains limited and flecked with ambiguities. Three years later, the industry has not yet overcome these challenges. One of the thorniest unresolved questions is how war exclusions apply to cyber incidents like NotPetya.
Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.