---
title: NotPetya Exclusions in Cyber Insurance Policies Leave Regulated Firms Exposed - Capstone Technologies Group
description: Cyber insurance policies often exclude NotPetya and state-sponsored attacks. Learn what coverage gaps exist for financial services and pharmaceutical firms.
canonical_url: https://captechgroup.com/threat-intelligence-center/notpetya-exclusions-in-cyber-insurance-policies-le-74f891
language: en-GB
date: 2026-07-16T12:37:56Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/notpetya-exclusions-in-cyber-insurance-policies-le-74f891. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
markdown-tokens: 5540
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/notpetya-exclusions-in-cyber-insurance-policies-le-74f891. Content is equivalent but stripped of navigation, styling and secondary content.
> **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


If your firm carried an "all risks" property policy during the 2017 **NotPetya** outbreak, you may have discovered the hard way that a cyberattack attributed to a nation-state falls outside coverage. That is the exact position Merck landed in when it filed a claim for damages it put at roughly **$1.4 billion**. (Source: [Helpnetsecurity](https://www.helpnetsecurity.com/2026/07/16/cyber-insurance-coverage-gap/ "Source: Helpnetsecurity"))

Insurers denied the claim by invoking the war exclusion, arguing that NotPetya's attribution to state actors made it an act of war rather than an insurable business loss. The dispute ran for years before a New Jersey appellate court ruled in Merck's favor in May 2023, and the parties settled confidentially in January 2024.

Here is why this matters to you. NotPetya was not a targeted ransomware campaign; it spread indiscriminately and hit organizations that were never the intended target. When insurers point to state attribution to trigger a war exclusion, the question of whether you were "at war" with anyone becomes irrelevant to the denial. Your recovery costs sit with you while the coverage fight plays out.

> Merck put its NotPetya damages at roughly $1.4 billion. The war exclusion in its "all risks" property policy nearly left the company absorbing that figure before an appellate court ruled in its favor in May 2023.

The regulated industries carrying these policies feel this most directly. Pharmaceutical, financial services, and other compliance-heavy sectors face not only the direct cost of rebuilding systems, but also data breach exposure that carries regulatory consequences of its own. A denied cyber claim does not pause those obligations.

Consider what your firm absorbs when attribution-based exclusions apply:

- **Direct recovery costs** — rebuilding compromised systems, restoring data, and paying for extended [incident response](https://captechgroup.com/services/cybersecurity-services "Cybersecurity Services | Protect Your Business with Capstone Technologies"), potentially reaching the multi-million-dollar range that Merck faced.
- **Operational disruption** — the downtime while systems are rebuilt, which for a manufacturer or a payments-dependent business translates into lost revenue you cannot recover from an insurer.
- **Compliance exposure** — regulatory scrutiny and potential penalties tied to any data exposure, running in parallel with the recovery bill.
- **Reputational damage** — the erosion of customer and partner confidence that follows a publicly known incident, with no reimbursement attached.

The insurance market moved to formalize exactly the exclusion that snared NotPetya claims. Lloyd's of London issued a market bulletin in August 2022 requiring standalone cyber policies to explicitly exclude state-backed attacks from March 31, 2023 onward, with four model clauses offering different levels of restriction. That means the ambiguity Merck exploited to win its case is being written out of newer policies.

For your risk planning, the practical takeaway is that a state-linked cyberattack is now one of the clearest paths to a denied claim. If your policy contains one of the Lloyd's model clauses or a similar state-backed exclusion, an incident attributed to a foreign government could leave you funding the entire recovery yourself. Read the attribution language in your current policy before an event forces the interpretation on you.

## NotPetya Attack Chain and Propagation Mechanics

The 2017 NotPetya outbreak began with a compromised software supply chain. Attackers pushed a malicious update through **MeDoc**, a Ukrainian tax and accounting application widely installed across companies doing business in Ukraine. Any organization running the trojanized update received the payload directly from a trusted vendor channel, which is why traditional perimeter defenses did nothing to stop initial access.

Once executing on a host, NotPetya did not wait for user interaction. It combined multiple propagation methods to move laterally through networks at machine speed. The most publicized was **EternalBlue**, the SMB exploit targeting the same Windows file-sharing flaw used by WannaCry earlier that year.

But EternalBlue was only part of the story. NotPetya also harvested credentials from memory using a bundled tool with Mimikatz-style functionality, then reused those credentials with legitimate administration utilities such as `PsExec` and `WMIC` to execute itself on remote machines.

This dual approach is what made containment so hard. A single fully patched machine could still be infected if the malware pulled valid domain credentials from a neighboring host and simply logged in the way an administrator would.

- **Supply-chain delivery** through the MeDoc update mechanism (initial access via trusted software).
- **EternalBlue SMB exploitation** against unpatched Windows systems (remote code execution).
- **Credential harvesting** from process memory (dumping cached logon data).
- **Lateral movement** via `PsExec` and `WMIC` using stolen credentials (living-off-the-land execution).

For a security engineer, the practical consequence was that patching alone offered incomplete protection. Because the malware could authenticate with harvested credentials, it spread into network segments that defenders assumed were isolated, reaching systems that had no direct exposure to the internet.

The payload itself is where NotPetya departs from ordinary ransomware. It presented a ransom note demanding payment for a decryption key, but the code was built to destroy rather than to extort. It overwrote the master boot record and encrypted the master file table, and it did so without preserving a recoverable key tied to each victim.

Because no valid decryption key ever existed, paying the ransom produced nothing. Files marked as encrypted were effectively gone, and infected systems required rebuilding from clean images rather than restoration through a decryptor.

This distinction matters for incident classification. Treating NotPetya as recoverable ransomware led some organizations to waste hours attempting negotiation or decryption while the malware continued spreading. In business terms, that meant extended production downtime, mass endpoint reimaging, and full rebuilds of directory services in the affected environments.

The self-propagating design also removed the human pacing that limits many intrusions. There was no operator manually selecting targets or timing execution; the automated combination of exploit, credential theft, and remote execution let the infection reach large portions of a network before responders could isolate it. For anyone triaging a similar event, the priority is recognizing wiper behavior early and severing network paths before the credential-reuse loop completes.

## Regulatory Exposure and Notification Requirements

When a cyberattack hits, your obligation to notify regulators runs on its own clock, and that clock does not stop while your insurer decides whether to pay. If your organization operates under **GDPR**, you generally have 72 hours from becoming aware of a breach to notify the supervisory authority. Under **HIPAA**, covered entities face defined notification windows for breaches of protected health information. The **SEC** now expects public companies to disclose material cybersecurity incidents on a compressed timeline.

None of those deadlines pause for an insurance dispute. If your carrier invokes an exclusion and denies coverage, you still owe the regulator a complete, accurate account of what happened, on the same schedule you would have faced with full coverage in hand.

That is the trap. The moment you sign a cyber questionnaire, your answers about multifactor authentication, backup practices, and incident response testing become legal representations the insurer references when a claim arrives. If a control you attested to had lapsed by the time an incident occurred, the resulting coverage dispute can drag on while your notification obligations mature and expire.

The financial squeeze is where business and compliance concerns collide. Regulators expect a rapid, professional response: forensic investigation to determine scope, legal review of notification duties, and notification of affected individuals. Each of those carries cost. When your policy pays, those costs draw against your coverage. When your policy denies, you fund all of it yourself, at the same time you are absorbing the direct recovery costs of the attack.

Consider the scale involved. The pharmaceutical company that fought a war-exclusion denial put its damages at roughly **$1.4 billion**. A firm carrying losses of that magnitude with no coverage cannot easily redirect budget toward the forensics and outside counsel a regulator expects to see. The result is a response that looks under-resourced precisely when scrutiny is highest.

Social engineering losses illustrate the same disconnect at smaller scale. Standard policies often exclude these events entirely or cap payouts at **$250,000**, a figure the source notes sits well under the average loss for that attack type. If you suffer a fraudulent wire and your sub-limit caps out below the actual loss, you still carry the reporting obligations and the full financial gap.

The disconnect regulators rarely account for: their expectations assume you have the resources to respond well. Your ability to hire forensics teams, retain breach counsel, and notify affected parties on deadline depends heavily on whether a payout arrives when you need it. When coverage is denied or capped, you can find yourself explaining to a regulator why disclosure was late or investigation was thin, with resource constraints as the reason.

Delayed disclosure and inadequate incident response are exactly the failures that draw regulatory penalties. Those penalties compound the original loss, and they land regardless of how the insurance dispute eventually resolves. Your compliance obligations and your coverage outcome are separate tracks, and only one of them waits for the other.

## Detection and Containment Strategies for NotPetya

The single most important action is **network isolation the moment you detect NotPetya activity**. This malware moves laterally through networks at machine speed, so an infected segment left connected becomes the launch point for every reachable Windows host. Pull the affected VLAN or physically disconnect switches before you begin investigation—containment first, forensics second.

Following the NIST Cybersecurity Framework, here is how to organize your response.

Start by inventorying every Windows system running SMBv1, the file-sharing protocol NotPetya abused to spread. You cannot defend hosts you cannot see, so map which machines expose SMB internally and which still lack the patch for the underlying flaw. Regulated industries running operational technology (OT) and industrial control systems (ICS) should flag those assets specifically—legacy controllers often run unpatched Windows and cannot be rebooted on demand.

On the protection side, the non-negotiable step is closing the SMB exploitation path:

- **Patch SMB on all Windows systems** using the vendor-supplied fix for the file-sharing vulnerability, prioritizing internet-facing and privileged hosts first.
- **Disable SMBv1 entirely** where business processes do not require it; the protocol carries risk that a patch alone does not remove.
- **Block the SMB port at network boundaries** and between segments that have no legitimate reason to share files, so a single infection cannot reach the rest of the estate.
- **Enforce network segmentation** so that finance, OT, and general corporate networks cannot freely route to one another.

For detection, hunt your logs and network traffic for the behaviors NotPetya generates rather than waiting for an antivirus alert. Watch for unusual SMB connection bursts from a single host to many others—a signature of automated lateral movement. Because NotPetya paired the exploit with stolen credentials, monitor for **credential-dumping tools such as Mimikatz** and for privileged accounts suddenly authenticating to systems they never touch.

Watch for privileged accounts authenticating across many hosts in rapid succession—this pattern of lateral authentication is the earliest reliable warning that credential theft is driving spread inside your network.

In environments Capstone manages, Adlumin monitors authentication patterns and flags the anomalous privileged logins and cross-host movement that indicate stolen credentials in use, catching the spread before it reaches every reachable machine. That visibility matters because NotPetya's use of legitimate credentials means the traffic looks authorized until you correlate the pattern.

When you move to respond, treat every credential on any touched system as compromised. Reset privileged and service account passwords across the affected environment, not just the hosts showing infection—the malware harvests credentials from memory and reuses them elsewhere. Preserve disk images before wiping so your forensics team can confirm scope and support any later insurance claim, where the record you build now becomes the evidence a carrier examines.

Short-term work centers on full forensic analysis and staged credential rotation. Confirm which systems executed the payload, which merely received propagation attempts, and where the initial entry occurred, so you rebuild rather than reinfect.

Recovery for regulated industries means rebuilding from clean, offline copies and validating restores before reconnecting. Air-gap critical OT and ICS systems so a future outbreak on the corporate network cannot reach production controllers. Test a restore from your offline backups now, while systems are healthy, rather than discovering during an incident that the copies will not mount.

## Insurance Policy Review and Coverage Negotiation

Start with your war exclusion. Pull the current cyber policy and read the exact wording insurers use to carve out state-backed activity, because the language determines whether a NotPetya-class incident is covered at all. If your policy incorporates one of the Lloyd's model clauses that took effect from **March 31, 2023**, state-sponsored attacks are excluded by design, and the strictest of the four clauses removes coverage for a broad category of government-attributed events. Know which clause you signed before an incident forces the question.

Document three exclusions in writing during your next review: acts of war, cyberwarfare, and any government-attribution trigger. For each, record how the policy defines the term, who bears the burden of proving attribution, and what evidence the insurer will accept. Attribution in cyber incidents is rarely quick or certain, and a clause that lets the carrier deny based on its own attribution determination shifts significant risk back to you.

At renewal, negotiate rather than accept the model language as final. The US market has seen eleven consecutive quarters of rate decreases and contracting premium volume, which means excess capacity is working in the buyer's favor. Use that leverage to push for one of these positions:

- Explicit affirmative coverage for supply-chain and self-propagating malware events that are not directly targeted at your organization.
- A carve-out from the war exclusion that requires the insurer to prove attribution to a recognized state actor through a defined, evidence-based standard rather than its own assessment.
- A narrowed definition of "cyberwarfare" that excludes collateral damage from attacks aimed at third parties.

Audit the money terms with the same care. Advertised limits mean little when sublimits, waiting periods, and exclusions quietly reduce what actually pays. Build a clause checklist and confirm each item in writing:

- **Definition of "cyberwarfare" and "act of war"** — including whether it references a specific attribution authority.
- **Notice requirements** — the deadline to report a claim and the form notice must take, since late or informal notice is a common denial basis.
- **Sub-limits for forensics, legal counsel, and breach notification** — these costs run high early in an incident and are often capped separately from the headline limit.
- **Sub-limits for regulatory fines and penalties** — confirm whether they are covered, capped, or excluded, and whether coverage is permitted in your jurisdiction.
- **Social engineering sub-limit** — often capped at $250,000, a figure that sits well under the average loss for this attack type. If your exposure exceeds that cap, negotiate a higher sub-limit or a standalone endorsement.

Denials are not the end of the conversation. Independent analyses place the cyber claim denial rate between 40 and 44 percent, and disputes frequently turn on whether policy language is ambiguous.

Retain counsel who specializes in cyber coverage and breach response before you need them, not after a denial letter arrives. Where an exclusion's wording is genuinely unclear, courts have read ambiguity against the insurer, which is why the exact phrasing you accept at binding matters more than the limit on the declarations page. Your legal and procurement teams should treat every application answer as a representation the carrier will reference at claim time, so verify that stated controls match deployed reality before anyone signs.

N-able Cove protects and verifies backup restore points across managed environments, giving you the documented restore evidence that both underwriters and claims adjusters ask for when they probe how your backups are protected and when the last restore actually ran.

## Lessons from NotPetya: Resilience Beyond Insurance

The single reliable recovery path after a destructive incident is a set of **immutable, offline backups** of critical systems and data. When encryption cannot be reversed and a carrier is disputing the claim, restoring from copies an attacker never touched is what gets a regulated firm back to operating.

NotPetya made that concrete. Pharmaceutical production lines and financial payment networks stopped because the malware rendered data unrecoverable, and no policy payment brought those operations back online any faster. The recovery timeline was set by how quickly each firm could rebuild from clean data it controlled, not by how quickly an insurer processed a claim.

Treat this as a design assumption: in a major incident, you may not be fully covered. Denial rates for cyber claims run high, systemic-event losses can dwarf what the entire market collects in premiums, and your regulatory notification clocks keep running regardless of coverage status. Plan operations for the scenario where insurance pays partially or not at all.

That argues for a hybrid stance rather than a choice between the two:

- Keep **cyber insurance** for the residual risk it genuinely finances — legal costs, breach response, third-party liability.
- Build **operational resilience** as the primary defense: tested offline backups, network segmentation, and a rehearsed incident response capability.
- Match your control representations on the application to what is actually deployed, since answers signed before an incident become the record a carrier references after one.

"Cyber insurance has a legitimate role, but it is not a control plane, a trust model, or a resilience strategy. It is a residual-risk financing tool," said Dr. Chase Cunningham.

A practical step for this quarter: audit your backup strategy and your current policy together. Confirm your critical-data copies are offline and restorable, and read your sublimits, waiting periods, and control representations before an incident forces the reading.

<!-- AI:SCHEMA: Schema.org description of canonical page in JSON-LD format -->
<!-- AI:SCHEMA:BEGIN format=jsonld scope=page -->

```json
{
    "@context": "http://schema.org",
    "@graph": [
        {
            "@type": "Article",
            "author": {
                "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
            },
            "dateModified": "2026-07-16T12:37:56Z",
            "datePublished": "2026-07-16T12:37:56Z",
            "description": "Cyber insurance policies often exclude NotPetya and state-sponsored attacks. Learn what coverage gaps exist for financial services and pharmaceutical firms.",
            "headline": "NotPetya Exclusions in Cyber Insurance Policies Leave Regulated Firms Exposed",
            "image": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "inLanguage": "en-GB",
            "mainEntityOfPage": {
                "@type": "WebPage",
                "url": "https://captechgroup.com/threat-intelligence-center/notpetya-exclusions-in-cyber-insurance-policies-le-74f891"
            },
            "publisher": {
                "@id": "https://captechgroup.com/#defaultPublisher"
            },
            "url": "https://captechgroup.com/threat-intelligence-center/notpetya-exclusions-in-cyber-insurance-policies-le-74f891"
        },
        {
            "@type": "Person",
            "name": "Brian",
            "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
        },
        {
            "@id": "https://captechgroup.com/#defaultLogo",
            "@type": "ImageObject",
            "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg",
            "width": 1300,
            "height": 300
        },
        {
            "@id": "https://captechgroup.com/#defaultPublisher",
            "@type": "Organization",
            "url": "https://captechgroup.com/",
            "logo": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "name": "Capstone Technologies Group",
            "location": {
                "@id": "https://captechgroup.com/#defaultPlace"
            }
        },
        {
            "@id": "https://captechgroup.com/#defaultPlace",
            "@type": "Place",
            "address": {
                "@id": "https://captechgroup.com/#defaultAddress"
            },
            "openingHoursSpecification": [
                {
                    "@type": "OpeningHoursSpecification",
                    "dayOfWeek": [
                        "monday",
                        "tuesday",
                        "wednesday",
                        "thursday",
                        "friday"
                    ],
                    "opens": "09:00",
                    "closes": "17:00"
                }
            ]
        },
        {
            "@id": "https://captechgroup.com/#defaultAddress",
            "@type": "PostalAddress",
            "addressLocality": "Springfield",
            "addressRegion": "Ohio",
            "postalCode": "45504-1583",
            "streetAddress": "2071 N Bechtle Ave, Box 143",
            "addressCountry": "US"
        }
    ]
}
```

<!-- AI:SCHEMA:END -->

