Lloyd’s of London to exclude state-backed attacks from cyber insurance policies

Insurance marketplace Lloyd’s of London is set to introduce cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023. In a market bulletin published on August 16, 2022, Lloyd’s stated that whilst it “remains strongly supportive of the writing of cyberattack cover” it recognizes that “cyber-related business continues to be an evolving risk.” Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements. The move is reflective of a maturing and quickly evolving cyber insurance market.

Nation-state attacks pose systemic risk to insurers

In its bulletin, Lloyd’s of London wrote that it consistently emphasizes that underwriters need to be clear in their wordings as to the cover they are providing, with clarity surrounding cyberattacks involving state-backed actors of particular importance. “When writing cyberattack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.”

Lloyd’s aims to ensure that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings, it added. “We consider the complexities that can arise from cyberattack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”

Moving forward, all standalone cyberattack policies falling within risk codes “CY” and “CZ” must include a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with the requirements set out below, Lloyd’s stated. At a minimum, the state-backed cyberattack exclusion must:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (Subject to 3) exclude losses arising from state-backed cyberattacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) and (b) above, by the state-backed cyberattack.
4. Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
5. Ensure all key terms are clearly defined.

“This clause must be in addition to any war exclusion (which can form part of the same clause or be separate to it),” Lloyd’s wrote. “Further, given the complexities that can arise in drafting suitable exclusion clauses, managing agents must be able to show that these exclusions have been legally reviewed having regard to the interests of underwriters.”

The requirements will take effect from March 31, 2023, at the inception or on renewal of each policy, with no requirement to endorse existing, in force policies, unless when the expiry date is more than 12 months from March 31, 2023, according to Lloyd’s. “Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses (including obtaining any necessary legal review),” it added.

Lloyd’s exclusion predictable, indicates cyberattacks aren’t just about money

Speaking to CSO, Jonathan Armstrong, lawyer and partner at compliance firm Cordery, says Lloyd’s decision to apply exclusions surrounding state-backed cyberattacks is not surprising but does illustrate that cyberattacks are often not just about money. “It’s not a surprise – just as terrorism and acts of war have been excluded from conventional insurance coverage for years. We have seen how nation-states use cyberwarfare to raise money for missile programs, etc., but also to spread panic and despair in the same way acts of terror have been used in the offline world for hundreds of years. My gut feel is that non-Lloyd’s insurers will all follow suit, too.”

It is also another indicator that it is becoming increasingly tricky for some organizations to get cyber coverage with things such as premium prices and stricter limitations on the rise, Armstrong continues. “For organizations, it’s a reminder that insurance isn’t the fix to everything. It also reinforces the need for organizations to shore up their own defenses.”

Cyberattack attribution biggest issue organizations will face

The real issue that organizations are going to face will be surrounding attribution, Armstrong adds. “Whilst with specialist help you can often say that there are indicators of nation-state involvement, we know it’s hard to be certain. It’s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case.”

Putting proper procedures in place will be key, and to get attribution right an organization will need proper and effective monitoring on its systems to assist in an investigation. “It is also likely to need specialist help in analyzing that evidence,” says Armstrong. “As ever, the time to prepare for an attack is before it happens, and some organizations will want to re-test their readiness plans considering the need to gather this evidence to satisfy their insurers that a claim is in scope.”

However, even with accurate attribution of an attacker, businesses could still find it difficult to prove nation-state involvement, cybersecurity consultant Lisa Forte wrote. “Even if you identify the group behind the attack, even if you locate them in a country (let’s say Russia), and even if you can show that the Russian government knew about the group that attacked you and took no action against them, that’s not sufficient under international law to prove that that group’s actions are affiliated with the state. In fact, even if you had solid proof that the Russian government had paid the group that attacked you, that still would not be sufficient to meet this high bar. The state must exert a level of operational and managerial control over the group to pass this high bar of a test.”

In the U.S. the burden would fall on the insurers to prove the exception applies but that’s not the case in every country, so it could fall on the victim to show the reverse, Forte added. “It has been claimed in the sea of analysis on this decision that the attack won’t necessarily need official attribution to be excluded from the policy coverage. The insurer can decide … if it is ‘objectively reasonable to attribute cyberattacks to state activities.’ So, the insurer could claim that the attack is excluded because it is ‘reasonable’ to attribute it to a nation-state. Not the clarity we perhaps wanted!”