NotPetya was described by the White House as "the most destructive and costly cyber-attack in history" and five years after it occurred, many of the companies hit by the Russian cyber attack were still sorting out who would pay for the damages and, in particular, what portion their insurance would cover. Several insurers denied NotPetya-related claims on the grounds that the cyber attack was a "warlike action" because it was perpetrated by the Russian government and therefore excluded from most standard insurance policies.

This led to a series of legal disputes about what constitutes cyberwar and when cyberinsurance carriers are obligated to pay for damages linked to state-sponsored attacks and subsequent legal rulings around these cases led many carriers to change their exclusion language to clarify which types of cyber attacks they would and would not cover.

This talk will examine these disputes through the lens of the history of cyberinsurance, tracing the emergence and continuing growth of the cyberinsurance industry and describing how it has evolved in the first twenty years of its existence, where it is headed, why online threats have been particularly challenging for many insurers to model, and what role policy-makers can and should play in helping the market stabilize and grow.