Cyber insurance exclusions have caused a stir in the Lloyd’s of London Insurance Community over the past year.
Cyber warfare between state actors has become commonplace in an increasingly digital world. In areas of high geopolitical tension, there has been a reported growth in the number of state-targeted cyber attacks.
For example, DDoS attacks have a historic association with Russian military activities, having been deployed against Estonia, Georgia, and Crimea in the past, and, more recently, against Ukraine. Some studies have suggested that the increase in DDoS attacks from Q1 2021 to Q1 2022 was as high as 450%. Furthermore, the average duration of DDoS attacks in Q1 2022 was reported to be 8000% higher than the same figure for 2021.
However, defining “cyber warfare” and “cyber terrorism”, distinguishing between nation-states that carry them out and the cybercriminal syndicates that can spot a lucrative hacking opportunity, and neatly framing the risks and consequences of such attacks, has challenged law enforcement authorities, governments, business leaders, and the insurance sector around the world.
LMA 2022 Bulletins on Cyber Insurance Exclusions
In early 2022, the Lloyd’s Market Association (LMA) began to tackle these issues and published four model cyber war exclusions. The release of these model clauses caused quite a stir in the cyber insurance industry and sparked significant confusion.
Consequently, Lloyd’s published a second bulletin in August 2022, establishing a new requirement that
all policies falling under the class codes CY (cyber liability) and CZ (cyber property damage) contain a suitable exclusion for loss arising from a state-backed cyberattack, in addition to any war exclusion clause.
In other words, the August 2022 bulletin reiterated the prohibition on covering war risk and clarified that policies issued under Lloyd’s must remove exposure to a nonphysical, cyber, state-on-state attack.
Although Lloyds has not yet formally mandated their use, it is expected that these LMA exclusions to be applied by all Lloyd’s syndicates and markets (at least, on a new business basis).
Unpacking the Model Clauses
Let’s begin with a top-down view of these clauses.
- They are all broadly drafted. This means that they exclude loss “directly or indirectly” stemming from the excluded events.
- War is defined as the use of physical force, confiscation, nationalization, or destruction of property on the orders of a nation-state.
- Cyber operations are defined as the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
- The bulletin clarified the attribution of a cyber operation to a state as:
- Where a defending state attributes the cyber operation to another state.
- Where insurers can rely on what is “objectively reasonable” and no loss is payable during that period. In other words, a robust method for the insured and the insurer must be applied in determining attribution – it is not one-sided in favor of the insurer alone.
This final point is significant. It means that the “burden of proof” in determining whether a cyber attack is state-sponsored rests on the insurer. This new guideline prompts a marked difference; until now, it has never been clear where the burden of proof rests and this complexity has always been further compounded by the fact that cyber weapons are designed to be “plausibly deniable”. Insurers now will need to conduct extensive forensic analysis of cyber events to establish their origins, the extent of state involvement, and their relationship with a conflict’s aims. It should be noted, however, that such forensic investigation may take a long time and, in that period, the client will be left out of pocket due to all of the Incident Response (IR) costs such as legal, PR, technical, and so on. For larger organizations, this initial outlay may not cause huge financial strain, but SMBs will be unable to survive this kind of cyber incident without insurer reimbursements. This is an issue the industry will need to continue tackling.
All of the clauses exclude losses stemming from war or cyber operations carried out in the course of war. However, Lloyd’s does not require complete exclusion for all state-backed cyber attacks, big or small. Only attacks which cause significant impairment to another state must be excluded. It is still possible to cover collateral damage in another state that is not significantly impaired by that is affected nonetheless.
We have also ranked the four LMA clauses from most policy-holder friendly to strictest (i.e. the most insurer friendly).
A closer look at the individual exclusions
Bystanding cyber asset: a computer system used by an insured or its third-party service providers that is not physically located in an impacted state but is affected by a cyber operation.
Work in progress
Lloyd’s syndicates are still grappling with the recent LMA guidelines and are likely to do so until these requirements are cemented into formal policy language. Indeed, some market participants have been modifying the model exclusions via endorsements, clear definitions of new concepts (such as cyber operations,” “major detrimental impact,” “impacted state,” and “essential services”) that leave no room for ambiguity, and clearer parameters around attribution. It is, however, vital for cyber insurance professionals to be aware of the delicate nuances between the four model clauses and to be aware of their increasing use in cyber liability policies.
Please note, since the publication of this article, Lloyds released a new bulletin which refined some of the policy language to be implemented on from 31 March 2023. You can read about the minor changes here.
Interested in our Certified Cyber Insurance (CCIS) specialist course or want to find out more about our CII accreditation? Click here.