In the first place, the Geneva conventions were updated after NotPetya to certify that these sorts of things are Acts of War. If the court ruled that the release of NotPetya was not an act of war, the value of this decision as precedence of this appears to be at best limited.
If the court has taken the position that collateral damage, not being intended, is not an Act of War, that is an interesting theory, but contrary to the Geneva Convention. Collateral damage is a major subject of the convention, and parties at war most certainly be held responsible for it. It is not clear why insurance law would deviate from international law on this subject. (Imagine a bomb dropped on a government building that also destroyed a civilian building next to it. Is the destruction of the civilian building not also an Act of War? !?)
If the court has taken the position that the intent of the Russians when releasing NotPetya was to only cause damage in the Ukraine, that is an interesting theory, but contrary to the behavior of Russia under Putin both before and after the incident. The team who created NotPetya was certainly highly professional. They were well aware that such virus always spread beyond their nominative targets. This was not, however, an "unfortunate side effect". It was intended to terrorize Western populations into allowing Russia to do as it pleased. "See what happens when we don't get our way? Do you want more?" Russia's behavior towards Ukraine has not been an undeclared war against Ukraine alone, but against the entire Western system. This was an attack on the West generally, with Ukraine being the immediate target.
I have long hoped that the insurance industry would spur companies to clean up their act. As I have said before, it has sadly become clear that this is not likely to go anywhere. As it stands, almost nobody is any good against an attacker capable of researching their own zero days, and almost every commonly used software has turned up serious security bugs when the adults have dug hard. The reason for this is that the customer does not want to pay for security. No amount of box-checking (SOC II) is going to fix that.
Security surveys & audits are now part of my job. The entire exercise has been quite the letdown. On the other hand, it is extremely clear that a serious audit would involve full access to the code by a team of expert white hats. No one is going to pay for that.
The industry is uninsurable. When the insurance industry fully digests that, we might get a start of some useful change.