Proposals by Lloyd’s of London that will see its managing agents required to exclude war and state-backed cyber attacks from standalone cyber policies are a cause for concern for brokers, according to the chair of the British Insurance Brokers’ Association’s cyber panel chair.
John Pennick, Berkeley Insurance Group financial risks director and BIBA focus group chair, told Insurance Business that the broker association will push back on the changes, and predicted there was a “reasonable and realistic” chance that if Lloyd’s is successful in the move, then the rest of the market will follow suit.
This, Pennick said, could “undermine confidence in the standalone cyber at a time when the market is in its relative infancy.”
He warned of the potential for “reputational harm” to brokers and the insurance market because of the changes.
“In the event of a wide-scale ransomware attack, for example, affecting tens of thousands of businesses, if it came to light it was never going to be covered anyway, because there was potential there for it to be an act of war, but that advice hadn't been given at the outset of the cover being arranged, then we could have that reputational issue,” Pennick said.
“There is the danger there that unless specific advice is given to clients on the cover that they're buying, that there may be differences of opinion as to how wide that cover actually is.”
Lloyd’s unveiled the proposals in a market bulletin in mid-August and will require managing agents to have the exclusions in place from 31 March 2023, at the inception or renewal of each policy.
A few further concerns stood out for Pennick, who accepted that “realistically, we expected this to happen at some point in the future”, with BIBA having met with law firm DAC Beachcroft last week to discuss what the changes mean for the market.
Concerns included delays, attribution, political motivation, reputational risk, wider market acceptance and litigation – and Pennick warned that if cyber claims responses are delayed as a result then insureds could find themselves out of pocket and out of business.
“The main issue here is the practicalities of such an exclusion,” Pennick said.
“Ordinarily, with a war exclusion in the past, it would have been [related to] matters that would result in property damage – someone's firing a rocket at your factory, it'd be clear that that was going to be an act of war.
“But now, when we're talking about a cyber attack, it's not immediately obvious.”
Insureds want to know that their cover will respond in the event of an emergency, Pennick said, and it would not be welcome if insurers were to delay as they determined whether an incident was an act of war.
“If it's the government delaying whether or not they think it is an act of war, and it's down to the insurers to come up with their own conclusion, then that's not necessarily going to be in the policyholder’s favour,” Pennick cautioned.
“And where we have an emergency situation where someone's had a ransomware attack, for example, and they need the policy cover to react urgently.”
“If it's left for the business who's been infected with ransomware to try and deal with the matter themselves, then quite possibly that business is going to go bust,” Pennick said.
“Or if insurers later decide, well, actually it wasn't an act of war and decide it is covered, it might be too late.”
Political motivation in judging whether a cyber attack was state-backed is another area of concern for brokers.
“It may be in the government's interest to say this is an act of war, and it doesn't really seem fair that a cyber policyholder cover should be dependent upon what the politicians say at that point in time,” according to Pennick.
Additionally, he warned that insureds who had gained a greater awareness of cyber risk from Russia’s Ukraine invasion could be put off purchasing the cover.
“If people who now don't have cover are thinking, ‘perhaps I should have cyber insurance because of what's going on in Ukraine at the moment’, they might be dissuaded from that if they think the cover is going to be subject to an exclusion of war,” Pennick said.
The BIBA cyber group chair said that litigation down the road was not an impossibility and drew parallels to recent COVID-19 business interruption disputes.
Insurers have paid out more than £1.2 billion since the Financial Conduct Authority’s test case, which concluded in January 2021, according to figures from the regulator. Many policies, though, did not ultimately pay out.
Other disputes have continued, including pub chain Stonegate’s whopping £1.1 billion case, heard in the courts this summer and awaiting judgment.
“I can see [litigation] being a possibility,” Pennick said. “And in a situation like COVID, where it's on such a scale that it's in insurers’ interests to apply that exclusion, then it's far easier and more likely for them to sit back and await the legal challenge, rather than to do anything where they might give it some sort of cover and response.”
