State-sponsored Cyber Attacks – New Lloyd's Requirements and What it Means for You

Lloyd’s of London recently issued a Market Bulletin (found here) regarding state-backed cyber-attack exclusions. This is important as it is likely to result in changes to policy terms at your next renewal. We discuss below the background and likely impact.

What is driving these developments?

As flagged in our previous article here, in the last year cyber insurers have been working to assess and respond to their increasing exposures to systemic, market-wide incidents – which given the number of policyholders impacted, are a particular risk to insurers’ balance sheets. A real focus has been on state-sponsored cyber-attacks. This was driven initially by the ‘NotPetya’ attack in 2017, but has taken on renewed priority given the war in Ukraine.

A key aspect of this has been insurers’ development of updated war / terrorism exclusions to deal with state-sponsored attacks. In late 2021, the Lloyds Market Association (LMA) released four new exclusions that sought to clarify insurers’ exposures and would replace ‘traditional’ war exclusions in cyber policies.

At a high level the clauses are framed to exclude both war in the traditional physical sense, and also loss resulting from ‘cyber operations’. Cyber operations are effectively state-sponsored cyber-attacks, involving use of a computer system by or on behalf of a state to attack a computer system of or in another state. The precise scope of excluded matters then depends on the LMA version under review. However, broadly a cyber operation is excluded where either:

1. it is carried out in the course of (physical) war; or
2. it has a major detrimental impact on the functioning of a state (by its impact on an essential service in that state), or on the security or defence of a state.

In a change from previous approaches, the LMA clauses also have new, lengthy terms dealing with attribution of attacks to states.Our Cyber War & Terror Exclusions summary can be found here.

What has changed now?

The key change now is the consistency with which the new clauses will be applied. Given resistance from brokers and policyholders, comparatively few insurers have required use of the LMA forms. It has certainly not been the market-wide clarification that the LMA might have hoped for. However there remain issues with traditional war exclusions, which were developed in the property market and not with cyber complexities in mind. So there are legitimate concerns that ensuring a sustainable cyber insurance market requires additional clarity and consistency.

As a result, Lloyd’s itself has now stepped in to ensure (in its eyes) that Lloyd’s of London insurers are protected. At high level the Bulletin provides that with effect from 31 March 2023, cyber policies issued by Lloyd’s syndicates must include a suitable exclusion for state-backed cyber-attacks. This is in addition to a war exclusion, and will apply to all stand-alone cyber policies within the class codes for cyber liability (CY) and cyber property damage (CZ).

In a practical sense, the Bulletin is primarily a means for Lloyd’s to ensure consistent application of the four LMA war exclusions. However it does not mandate use of those clauses specifically. This provides opportunity for improvement, and certain insurers have developed alternatives that are likely to also receive Lloyd’s approval as being compliant. What is clear is that traditional war exclusions will need to be modified, and that a close eye will be kept on consistency – as Lloyd’s insurers must put any bespoke war exclusions through legal review to ensure they are appropriately robust.

What does this mean for you?

Nation-state cyber-attacks are a persistent and daunting threat, and a sustainable and affordable cyber insurance market does require clarity on the scope of cover provided. However that must be balanced with policyholder needs, and avoid blanket exclusion of all catastrophic incidents. This is an issue that brokers and insurers across the market are grappling with. Lloyd’s has taken a first step, but we are aware of other insurers seeking to take similar action. The issue is ultimately market-wide and will continue to evolve.

From a policyholder perspective, the devil is in the detail. Mandating exclusions for state-sponsored attacks is headline-grabbing. But traditional war exclusions may have language that potentially already extends their scope to a broader range of state-sponsored scenarios – as was argued by insurers (albeit in a property context) in the Merck NotPetya matter discussed here. The main aim of the current discussions is to remove the ambiguity debated in that case, rather than significantly expand the scope of the traditional exclusions. In that context, the LMA as well as other insurers have stated that there have not been any attacks to date of sufficient detrimental impact to have triggered the LMA clauses. 

That is not to say, however, that the LMA clauses are wholly appropriate in their current form. There are new and untested terms, and difficulties with areas such as attribution that will need to be worked through. Nonetheless in all but the least policyholder-friendly version, there are also important caveats limiting where the exclusions trigger. A key carve-out is for damage in another state that is affected by the attack, but not subject of a major detrimental impact (avoiding blanket application of the exclusion to global cyber networks),

As a result it is important to discuss the issue with your broking contact prior to renewal. The applicable language and available options may well alter as our discussions with the market progress and 31 March 2023 comes into view. Insurers are also looking at systemic risks more generally, and we are currently engaged with Lloyds and other insurers on relevant language that they anticipate applying globally. We will be writing separately on that topic in due course, and will continue to keep our policyholders updated.

This article was authored by members of Howden’s specialist Cyber team and Legal, Technical & Claims team. The Legal, Technical & Claims team is made up of senior insurance lawyers and experienced claims professionals, and provides support on insurance claims, policy wordings and legal and regulatory developments as they impact your business. If you have any queries on the issues raised, please feel free to contact a member of the team directly.
 

Kathryn Brown, Divisional Director - Cyber & Technology Solutions
T: +44 (0)7711 595581 E: [email protected]

Christina Leo, Divisional Director - Cyber & Technology Solutions
T: +44 (0) 2038 312701  E: [email protected] 

Neil Warlow, Divisional Director - Legal, Technical and Claims
T: +44 (0)7923 208441 E: [email protected]

James Wakefield, Claims Handler - Legal, Technical and Claims
T: +44 (0)2038 087561 E: [email protected]