Lloyd’s of London to exclude state-sponsored attacks from cyber insurance policies
Insurance market Lloyd’s of London is set to introduce cyber insurance exclusions to state-sponsored ‘catastrophic’ attack cover from 2023. In a Market Bulletin published August 16, 2022 , Lloyd’s said that while it “remains strongly in favor of writing cyber attacks cover”, it recognizes that “cybersecurity-related activities continue to be an ever-evolving risk”. Therefore, the company will require of all its groups of insurers that they apply an appropriate exclusion of liability clause for losses resulting from any state-sponsored cyberattack in accordance with several requirements.This decision reflects a maturing and evolving cyberinsurance market fast.
Nation-state attacks present a systemic risk for insurers
In his newsletter, Lloyd’s of London wrote that it consistently insists that underwriters must be clear in their formulations as to the cover they provide, with clarity surrounding cyberattacks involving state-supported actors of significant particular. “When writing cyberattack risks, underwriters should consider the possibility that state-sponsored attacks may occur outside of warfare involving physical force. The damage these attacks can cause and their ability to spread creates a similar systemic risk for insurers.
Lloyd’s aims to ensure that all unions writing in this class do so to an appropriate standard, with strong wordings, he added. “We consider the complexities that can arise from exposures to cyberattacks in the context of war or not, state-sponsored attacks mean that underwriters must ensure that their formulations are legally reviewed to ensure that they are robust enough.
Going forward, all stand-alone cyberattack policies under risk codes “CY” and “CZ” must include an appropriate clause excluding liability for losses resulting from any state-sponsored cyberattack in accordance with the requirements set out below , Lloyd’s said. At a minimum, the state-sponsored cyberattack exclusion must:
- Exclude losses arising from war (declared or undeclared), where the policy does not have a separate war exclusion.
- (Subject to 3) excluding losses resulting from state-sponsored cyberattacks that (a) materially impair a state’s ability to operate or (b) materially impair a state’s security capabilities.
- Clearly state whether coverage excludes computer systems located outside of any state that are affected in the manner described in 2(a) and (b) above, by the state-sponsored cyberattack.
- Establish a solid foundation on which the parties agree on how any state-sponsored cyberattack will be attributed to one or more states.
- Make sure all key terms are clearly defined.
“This clause is to be in addition to any war exclusion (which may be part of the same clause or separate from it),” Lloyd’s wrote. “Furthermore, given the complexities that can arise in drafting appropriate exclusion clauses, managing agents must be able to demonstrate that these exclusions have been legally reviewed with regard to policyholder interests.”
The requirements will come into effect on March 31, 2023, at the start or renewal of each policy, with no obligation to endorse existing policies in force, unless the expiry date is more than 12 months from March 31, 2023, according to Lloyd’s. “Managing agents will nevertheless want to start at an early stage to determine their approach to adopting appropriate exclusion clauses (including obtaining any necessary legal review),” he added.
Lloyd’s exclusion predictable, indicates cyberattacks aren’t just about money
Speaking to the CSO, Jonathan Armstrong, a lawyer and partner at compliance firm Cordery, said Lloyd’s decision to apply exclusions regarding state-sponsored cyberattacks is not surprising, but illustrates that cyberattacks do not are often not just about money. “It’s no surprise – just as terrorism and acts of war have been excluded from conventional insurance cover for years. We have seen how nation states use cyber warfare to raise funds for missile programs etc. but also to sow panic and despair in the same way acts of terror have been used in the offline world. for hundreds of years. My instinct is that non-Lloyd’s insurers will all follow as well.
It’s also another indicator that it’s becoming increasingly difficult for some organizations to obtain cyber coverage with prices such as higher prices and tighter upside limitations, Armstrong continues. “For organizations, it’s a reminder that insurance isn’t the answer to everything. It also reinforces the need for organizations to strengthen their own defenses.
Organizations will face the biggest problem of attribution of cyberattacks
The real problem organizations are going to face will be surrounding attribution, Armstrong adds. “Although with the help of a specialist you can often tell that there are indicators of nation-state involvement, we know that it is difficult to be certain. It is these difficulties that are likely to lead to litigation, as insurers may believe there is state involvement, but the insured may believe there is not.
Having proper procedures in place will be essential, and to achieve proper attribution, an organization will need appropriate and effective monitoring of its systems to aid in an investigation. “He’s also likely to need specialist help to analyze this evidence,” Armstrong says. “As always, it’s time to prepare for an attack before it happens, and some organizations will want to retest their preparedness plans given the need to gather this evidence to convince their insurers that a claim is within range.”
However, even with an accurate attribution of an attacker, companies might still struggle to prove nation-state involvement, cybersecurity consultant Lisa Forte wrote. “Even if you identify the group behind the attack, even if you locate it in a country (say Russia), and even if you can show that the Russian government was aware of the group that attacked you and only took no action against him, that’s not enough under international law to prove that the actions of this group are affiliated with the state. In fact, even if you had strong evidence that the Russian government paid the group that you attacked, that would still not be enough to meet that high bar.The state must exercise a level of operational and managerial control over the group to pass that high bar of a test.
In the United States, the onus would be on insurers to prove that the exception applies, but that is not the case in all countries, so the onus could be on the victim to show the opposite, Forte added. “It has been claimed in the sea of analysis on this decision that the attack will not necessarily need an official attribution to be excluded from policy coverage. The insurer can decide … if it is “ objectively reasonable to attribute cyberattacks to state activities”. Thus, the insurer could claim that the attack is excluded because it is “reasonable” to attribute it to a nation state. Not the clarity that maybe we wanted!
Copyright © 2022 IDG Communications, Inc.