The release of Lloyd’s nation state cyber mandate last August ballooned into a “PR disaster” following a barrage of negative coverage and the insurance industry must learn lessons on communicating, the CEO of managing general agent (MGA) CFC, which has a Lloyd’s syndicate, has said.
“It was an absolute PR disaster, it kills me,” Newman said in response to a question posed by Insurance Business at the 2023 CFC Summit in Chicago on May 18, 2023.
Newman labelled the fallout that erupted from the mandate a “frantic panic”, likely spurred on by conflict erupting in Europe with the onset of Russia’s Ukraine war, despite the clauses and intent having been in the works with the Lloyd’s Market Association for three years.
Last year, Lloyd’s unveiled suggested model clauses and a mandate, effective from the end of March 2023, for its participants to exclude certain state-impairing nation state-backed attacks and losses arising from a war, stoking broker and client fears and confusion, and resulting in a tide of what were described during the CFC event as negative headlines.
“I’ve never seen worse communication in my life,” Newman said of what followed the mandate’s release. “I would say in the insurance industry we don’t seem to be great at PR, and I think that’s something that we should all work on.
“Absolutely as insurers, we should bear a lot of culpability there for getting the messaging right.”
Newman’s comments came during a Q&A session at the MGA’s US broker event and followed a presentation from CFC corporate cyber senior underwriter Beth Granger in which 100s of attendees heard that the changes were not a kneejerk reaction or bid to close walls entirely on nation state-backed cyberattacks, rather a response to ongoing incidents dating back as far as 2014 through which Russia has targeted Ukrainian infrastructure. Such attacks have highlighted what might be possible should cyberwarfare be used to cripple countries.
2017’s NotPetya malware attack, which originated in Ukraine before spreading across the globe to cost companies – among them Merck, which has seen recent success in the US courts on its $1.4 billion all-risks property claim – billions of dollars, served as an uneasy harbinger of what could now be possible in an age of cyber warfare.
In a bid to tackle the spectre of systemic cyber risk, the clauses built by lawyers for Lloyd’s participants and the ensuing mandate was a bid to ensure carriers “excluded losses by nation state actors that were so catastrophic in nature that they destroyed a nation’s ability to function”, Granger said.
In layman’s terms, Granger said, this would have to be the “digital equivalent of a nuclear strike”, an event so vast that it would not be covered in any other standard insurance policy.
The cyber underwriter took aim at the “dozens of negative headlines” that stemmed from the changes.
“Be very clear, cyber insurers will continue to cover nation state attacks as they have been doing so for decades,” Granger said. “It’s important to clarify that this is not a new exclusion – we are simply altering the language and upgrading it and bringing it into the modern world.
“It really is such a shame to see a change in our market that is fundamentally positive for policyholders be portrayed negatively due to essentially it being misrepresented in the press and there being a load of confusion in our market.”
Lloyd’s declined to comment explicitly on what was said around communication at the CFC event; however, a Lloyd’s spokesperson said that cyber “remains a priority area for Lloyd’s and we will continue to take a pragmatic and innovative approach to supporting the growth of cyber at Lloyd’s.”
“The advisory guidance provided in August 2022 ensures we manage risk responsibly on behalf of customers – including potentially systemic risks – while approaching this complex field with the expertise and diligence it requires,” the spokesperson said. “Our response ensures we maintain an adequately capitalised market for manageable events, while providing clarity for customers on emerging political risks.”
The spokesperson said that rather than applying a “one size fits all” approach, the updated guidance is intended to encourage its managing agents to “recognise and apply due diligence to the specific complexities around state-sponsored cyberattacks, which come with potentially systemic risks for customers and our market.”
The spokesperson reaffirmed Lloyd’s commitment to the changes, and said that the corporation “did not take this decision lightly”.
“It is not a blanket exclusion but a segregation of risks in a fast maturing area of insurance,” the spokesperson said. “There are a number of teams of underwriters working on developing products in the Lloyd’s Lab to satiate the demand for this cover while managing the risk with appropriate capital and pricing to reflect volatility.”