Starting from March 31, 2023, Lloyd’s of London insurance plans will no longer cover losses resulting from certain nation-state cyber-attacks including those that occur during wars.

Why was the memo issued?

In recent months, cyber insurance has undergone a period of readjustment as insurers have gained a better understanding of how to quantify and price the risk they are insuring. This is due to the increase of cyberattacks on businesses of all kinds in recent years.

The cyber-insurance industry has debated war exclusions in particular for years, but recent geopolitical developments such as the war in Ukraine and the tensions between China and Taiwan rekindled concerns that a big cyber-attack, such as one that disables critical infrastructure, may result in catastrophic losses for insurers.

After a New Jersey judge determined last year that Merck & Co. was entitled to reimbursements from its insurers following the 2017 NotPetya cyber-attack, insurers have begun examining ways to tighten the language in their policies. War exclusions led the company’s property and casualty insurers to originally deny the claims. In that case, the judge ruled that it was unreasonable to expect Merck to be aware that war exclusions would apply to such an occurrence, basically concluding that a typical war exclusion does not encompass cyberattacks.

The Lloyd’s memo at a glance

Underwriting director Tony Chaudhry stated in a memo sent to the company’s 76-plus insurance syndicates that Lloyd’s remains “strongly supportive” of cyber-attack coverage. As these threats continue to develop, however, they may “expose the market to systemic risks that syndicates could struggle to manage,” stressing that state-sponsored attacks are particularly expensive to cover.

In light of this, Chaudhry argued that all stand-alone cyber-attack policies must include “a suitable clause” excluding liability for losses resulting from any state-sponsored hack. “We consider the complexities that can arise from cyberattack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust,” reads the memo.

Unless the policy already contains a separate war exclusion, these policies must at a minimum exclude losses resulting from a declared or undeclared war. In addition, they must at least exclude damages from nation-state cyber-attacks against critical infrastructure like energy utilities that “significantly impair the ability of a state to function or hat significantly impair the security capabilities of a state.”

“The focus of this memo is on state-backed attacks, whether in the context of war, or non-war situations,” stated Nikos Georgopoulos, Cyber and Privacy Risks Insurance Advisor at Cromar Insurance Brokers in Greece.

However, the problem is attributing an attack to a state. The memo states that policies must “set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states.”

The attribution problem

Rob Joyce, the NSA’s director of cybersecurity, stated at this year’s RSA Conference that attributing a cyberattack with 100 percent certainty to a specific criminal organization or nation-state “is absolutely hard.” As advanced persistent crime groups become more sophisticated, employ business as a service models, and have access to more resources, it becomes increasingly difficult to distinguish between nation-states and cybercrime gangs.

However, even if an insurer or an agency can attribute the attacker, legally binding the attacker with a state is very difficult. In the words of Lisa Forte, Partner at Red Goat:

“Even if you identify the group behind the attack, even if you locate them in a country (let’s say Russia) even if you can show that the Russian Government knew about the group that attacked you and took no action against them that’s not sufficient under International Law to prove that that group’s actions are affiliated with the state. In fact, even if you had solid proof that the Russian Government had paid the group that attacked you that still would not be sufficient to meet this high bar. We had this very issue with terrorism many years ago when I was doing a master’s in International Law and Maritime Law. The state has to exert a level of operational and managerial control over the group to pass this high bar of a test.”

According to Peter Hawley, director of insurance solutions for Europe at SecurityScorecard, the subject of attribution will likely be a legal one as opposed to a real-world one because insurance plans are legally binding contracts.

“In U.S. litigation, insurers must generally demonstrate that an exclusion within an insurance policy applies to the case. This puts the burden of proof on the insurers in the case of the war exclusion,” Moody’s analysts said in a note. However, this is not the case in every country, which also means that “it could fall on the victim to show the reverse,” points out Lisa Forte.

The purpose of Lloyd’s memo is to provide more clarity on this much-debated topic. What happens if the insurer decides that it is “objectively reasonable” to attribute a cyber-attack to a certain state and exclude it? Is “reasonable” a legally binding argument? That is definitely not the clarity businesses would like to see.

Cyber insurance is an essential step to protecting your business and walks hand-in-hand with being prepared to defend against increasing and sophisticated attacks. Relying on a trustworthy managed services provider, such as ITEGRITI, can help you address the challenges of a constantly changing risk environment. To learn how we can help, contact us.