Zurich is refusing to pay out a $100m cyberattack damages claim by Cadbury owner Mondelez, which was hit by a series of ransomware attacks in 2017.

The insurance firm claims the policy did not cover “a hostile or warlike action” by a government or sovereign power, or by agents acting on behalf of one. 

Attribution is so difficult in cybersecurity incidents. This case could make it pretty easy for insurance companies to play the nation-state actor 'get out of jail' card.

Imagine the business impact of having 1,700 servers and 24,000 laptops destroyed. And then when the time comes for your insurance company to pay the claim you receive the reply: "Computer says no."

Time to pull your insurance contract and read the fine print?