Lloyd’s of London’s latest cyber mandate, which will force its managing agents to exclude state-backed cyberattacks and war from standalone cyber policies from the end of next March, could lead the wider insurance market to adopt similar exclusions, and potentially lead to a stream of litigation, sources told Insurance Business.
The Lloyd’s mandate comes as Russia’s Ukraine war has further thrust cyber risk into the public consciousness.
“Cyberattack risks involving state actors, however, have additional features that require consideration,” Lloyd’s set out in its August 16 market bulletin.
“In particular, when writing cyberattack risks, underwriters need to take account of the possibility that state backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.”
This is not the first time that Lloyd’s has sought to close a cyber gap. From 2020, market participants had to explicitly state whether a policy covered cyber or not.
The latest changes come as managing agents are already tightening wordings to exclude “cyberattack exposure arising both from war and non-war, state backed cyber-attacks”, Lloyd’s said in the update.
However, it added in the bulletin: “We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings.”
Should the changes go ahead from March 31, sources said it was likely that others in the global insurance market would follow suit.
They also warned of potential “grey areas”, where it might be hard to determine whether an attack is state-backed or not, and of litigation that could follow.
“Any time that new exclusions or new policy language is introduced, especially when you're talking about losses like cyber risks that are really sophisticated and evolving. I think that when they first roll out, there may be a lot of litigation, over what these exclusions mean, how they're enforced,” said Cindy Jordano, partner at Cohen Ziffer Frenchman & McKenna, based in New York.
Jordano predicted that other insurers were likely to “follow suit”, though others may be “more opportunistic and see this as an area where they can perhaps offer coverage where Lloyd’s is lacking.”
Insurers may face challenges in proving that exclusions apply “unambiguously to any given case”.
“It's going to be difficult in practice to enforce these exclusions, because a lot of these cyberattacks are committed undercover, they're committed anonymously, and you're almost never going to have a state come out and admit they were behind it,” Jordano said.
In the UK, John Pennick, chair of the British Insurance Brokers’ Associations’ cyber focus panel, warned of multiple concerns for brokers stemming from the changes, including reputational issues.
“If it's left for the business who's been infected with ransomware to try and deal with the matter themselves, then quite possibly that business is going to go bust,” Pennick cautioned.“Or if insurers later decide, actually it wasn't an act of war and decide it is covered, it might be too late.”
While some stakeholders have raised the alarm on the changes, for Chris Gissing, business development representative at Arete Response, the intent behind the move is nevertheless “great”.
“The fact that they have directly come out to reaffirm their support of cyber insurance is incredibly positive for the market as a whole, as well Lloyd’s being active in looking to address cyber ransom events - one of the major challenges in the sector,” Gissing said.
“Generally, the market has already taken steps towards reducing the exposure to ransomware attacks, and other cyberattacks, through a more robust approach in underwriting controls – it’s now almost impossible to get a policy without requirements for MFA or conditions or sub limits for ransomware cover, as examples.”
The real challenge, Gissing set out, will be identifying whether attacks are state-backed.
“The anonymity of the internet already makes it incredibly difficult to attribute an attack to either a nation state or a criminal organisation with total confidence,” he commented. “That’s even without addressing the grey area of those crime organisations that are potentially state backed, are sympathetic to the state or even hacktivists.”
“The exclusions could create greater dispute regarding policyholder reimbursement absent a clear, uniform standard for identifying a “state-backed cyberattack,” Gissing added.
The cyber response firm employee said he hoped the change would drive greater collaboration and public-private sharing.
“It’s going to need the whole village to win this war,” Gissing said.
Eighty-six percent of respondents in a recent survey believed they had been targeted by a cyberattack by an organization acting on behalf of a nation state, with the lines between state and non-state attacks continuing to “blur”, the report found.
Trellix and the US Center for Strategic and International Studies surveyed 800 IT security decision makers from the US, the UK, Germany, France, Japan, India and Australia between November and December 2021.
Different countries pursue different cyber objectives, the report set out, with Russia, China, and Iran having political, military, and industrial motives. Cyber attackers from North Korea, which the report said seeks money to assist its regime, reportedly extracted “nearly $400 million work of digital assets” in 2021, according to Chainalysis.
The estimated cost for organizations victim to a successful nation-state-backed cyberattack exceeds $1 million per incident and averages $1.6 million in losses per incident, according to Christiaan Beek, lead scientist and senior principal engineer, Trellix Threat Labs.
“We have found that 63% of the IT decision makers have high levels of confidence in being able to differentiate the types of incidents,” said Beek.
“When organizations have cybersecurity strategies in place to deal with incidents on behalf of their customers, they have a higher level of confidence differentiating between state-backed and other cyber incidents.”