The UK’s largest law firm, DLA Piper, is taking legal action against insurer Hiscox after it denied the legal firm’s damages claim in the wake of a massive ransomware attack.
As a result of the attack, which cost millions of pounds to remedy, DLA Piper’s phones and emails were inoperable for two days – leaving its 36,000 lawyers across 40 countries unable to access its systems.
According to reports, after unpicking the damage caused by the virus the firm was forced to start over with its entire Windows environment at great expense.
It is estimated that the NotPetya ransomware attack cost the firm an extra 15,000 hours of overtime for its IT staff. It is also believed the company became infected through a supplier and that its flat network structure enabled the malware to spread rapidly across the globe.
Hiscox is disputing the claim, and in a written statement a spokesperson for the insurer said its refusal to pay is nothing to do with a war exclusion. Instead, the company asserts that the legal firm does not have a cyber policy and is claiming under a general insurance policy. The two companies have entered arbitration to settle the matter.
The war exclusion clause or “act of war” has been cited by insurance giant Zurich as reason not to pay confectionary company Mondelez, which is said to be suing the insurer for over for over $100m to cover permanent damage to 1700 of its servers and 24,000 laptops – as well as unfulfilled orders and other operational disruption.
Anjola Adeniyi, EMEA technical leader at Securonix warned that the rise of cybercrime would see disputes of this nature becoming more common.
“The increasing difficulties facing companies who try and claim insurance following a cyber attack is highlighting the growing need to implement preventative strategies,” he said.
“Whilst many companies will fall victim to a ransomware attack, one of the first steps they need to take is to ensure it doesn’t happen again. Computer systems need to be up-to-date on security patches, networks monitored for infections and employees educated on cyber hygiene.”
With cybercrime being a relatively new sphere for both companies and legal firms, there is still much work to be done on the legal clauses surrounding the issue and clarification if cyber attacks can be classed as acts of war similar to terrorism.
According to a report by Lloyd’s, cybercrime is estimated to cost businesses more than $400 billion a year. As cybercrime increases, so too does the value of the global market for cyber insurance, which is thought to be worth up to $3 billion, with insurers writing $1.4 billion in premiums in 2016, a 35% cent jump on the previous year.