DLA Piper and its insurers clash over multi-million NotPetya payout

Law firm was hit in the crossfire as Russia-backed ransomware spread.

DLA Piper and its insurers clash over NotPetya payout

June 2017 saw one of the world’s most costly malware outbreaks ever.

The NotPetya ransomware, initially spread via a malicious automatic update to a popular Ukrainian accounting software tool, hit companies around the world including advertising giant WPP, household goods manufacturer Reckitt Benckiser, FedEx subsidiary TNT Express, and international shipping logistics company Maersk.

Shipping conglomerate Maersk later estimated that the NotPetya ransomware cost them as much as $300 million in lost revenue. Reckitt Benckiser, the firm behind such brands as Nurofen and Durex, blamed the malware attack for a $100 million loss in revenue.

Sign up to our free newsletter.
Security news, advice, and tips.

Certainly not chump change.

Dla piperOne of those organisations hit by NotPetya was multinational law firm DLA Piper. The business, with a presence in over 40 countries, reportedly had a “flat network structure globally”, allowing every data centre and Windows-based server on its network to be impacted by NotPetya.

Wiping its systems and starting again must have been costly, even before you start counting the 15,000 hours of extra overtime it reportedly paid its IT staff.

So, it’s no surprise to hear that DLA Piper is interested in claiming back some of that expense from its insurers, Hiscox.

As The Times reports today, DLA Piper has started proceedings against Hiscox, saying that the insurance firm has failed to pay out for the damages and costs associated with the NotPetya attack – a claim which may amount to several million pounds.

From the sound of things, Hiscox is refusing to pay up because of the “act of war” exclusion clause commonly found in insurance policies. The UK government, you may recall, has officially stated that the Russian military was “almost certainly” behind the NotPetya attack.

A similar spat has recently broken out along the same lines between a firm (confectionary giant Mondelez) that was hit by the NotPetya ransomware, and an insurer (Zurich Insurance) that is declining to pay up.

I don’t know what type of insurance policy DLA Piper had with Hiscox, but as we discussed in a recent edition of the “Smashing Security” podcast, it appears that Mondelez may not have specifically had a cybersecurity insurance policy with Zurich but instead a property insurance policy that excluded warfare.

Smashing Security #117: 'SWATs on a plane'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

It will be interesting to see what comes out of the current dispute between DLA Piper and Hiscox, but my advice for other companies is that they should check their insurance policies’ small print and adjust as necessary.

After all, I suspect your business wouldn’t like to find out it’s not covered for a malware attack because it’s caught in the crossfire as countries launch digital attacks against each other.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “DLA Piper and its insurers clash over multi-million NotPetya payout”

  1. Jeffrey Smith

    Seems they are trying to recover from a general liability (slip and fall) insurance policy since they didn't buy cyber insurance. It's like me filing an auto claim for injuries sustained when I drank too much and fell down the stairs.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.