Lloyd’s of London defends cyber insurance exclusion for state-backed attacks
Lloyd’s of London has defended a looming requirement that cyber policies written in the insurance market have an exemption for state-backed attacks, following a backlash among brokers and academics.
The move to limit systemic risk in the insurance market, announced last month and applicable to standalone cyber policies from the end of March, prompted warnings it would lead to legal disputes over whether certain attacks had state support while further restricting cover vital to businesses.
But Patrick Tiernan, Lloyd’s chief of markets, said the institution was acting responsibly to develop a product “that is in its infancy and still has relatively low international penetration”.
“Very often in the past, these sort of corrections or evolutions to policy language happen post-event . . . after everything has gone wrong,” Tiernan told the Financial Times. “I think this is Lloyd’s being responsible to our customers and acting with the market.”
The other option, he said, would be to drive up insurers’ capital requirements, which would add fuel to prices.
Exclusions for acts of war are typical for insurance coverage. In its circular last month, Lloyd’s said: “The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure . . . means that losses have the potential to greatly exceed what the insurance market is able to absorb.”
However, Cindy Jordano, partner at law firm Cohen Ziffer Frenchman & McKenna, said the move could create “ambiguity as to whether coverage is afforded for certain cyber attacks that would otherwise be covered”, given the difficulty of saying whether an attack was state-backed. There could be “significant litigation over these exclusions”, she predicted.
The wording of war exclusions for cyber varies, and interpreting them is tricky given the challenges of identifying the attackers’ state links. Late last year, pharma group Merck succeeded in a US court claim that a war exclusion should not be applied to its losses suffered in the NotPetya malware attack.
Underwriters have defended the new guidance as an attempt to bring clarity to what is, in insurance terms, still a relatively young market: the first cyber policy written at Lloyd’s was in 1999.
The new requirement “doesn’t restrict cover at all from where we are right now”, said Graeme Newman, chief executive of cyber insurer CFC. “After Covid, have we not all learnt a lesson that having clarity in our language is better for both insurer and policyholder?” he added, referring to the bitter disputes between the sector and businesses over whether pandemic-related losses should be covered.
Lloyd’s said four example wordings provided by trade body the Lloyd’s Market Association in November, intended to bring clarity, would meet its requirements — although insurers are not obliged to use the wordings.
The examples vary in the extent of attacks specifically excluded from cover but have at their core a consideration as to whether “the government of the state . . . in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf”.
Josephine Wolff, Tufts professor and author of a book on cyber insurance, warned in an FT op-ed last week that state-sponsored attacks are becoming so frequent that a refusal to cover them could put companies off from buying a policy altogether.
Martin Lilley, director of corporate insurance at Manchester-based Broadway Insurance Brokers, which specialises in finding cover for small businesses, said the exemption requirement “certainly feels like another blow”, and “reflects the continuing restriction in cover available in the cyber insurance market”.
Cyber insurance prices have surged in recent years as insurers pass on the cost of ransomware claims. Lilley cited one client whose annual premium had risen to £75,000 this year from £10,000 previously. Some businesses were considering snubbing the cover altogether and retaining the balance-sheet risk themselves, he added.