Defining war, and especially the risks arising from it, are notoriously difficult tasks . Factor in to that challenge the ambiguous and shadowy cyber operations taking place in what is sometimes referred to as the ‘grey zone’ , and you have a seemingly wicked problem.
In late December 2021, the Lloyd’s Market Association published its new war risks exclusion clauses for cyber war and state attributed cyber operations, having worked with multiple stakeholders in an attempt to provide some solutions. Following a protracted and at times complex period of drafting and negotiation, the new clauses strike a welcome balance between the needs of a commercial sector facing ever-evolving cyber threats, and an insurance market seeking to insure against knowable risk and to keep premiums competitive and manageable.
Given the difficulties in defining war, it is perhaps unsurprising that this effort represents the first update to the war risk exclusions also to tackle the cyber risk in direct terms. There are four new clauses, which allow for a scalable approach to coverage, depending on the economic impact of a given cyber operation.
- LMA 1: Excludes cover for any losses happening through or in consequence of war or a cyber operation.
- LMA 2: Places specific sub-limits on pay-outs in the event of cyber operations, but excludes absolutely those operations launched in war, in retaliation by specified states, or which cause major detrimental impacts to the functioning of a state.
- LMA 3: As LMA 2, but with no specified sub-limits on pay-outs to claims.
- LMA 4: As LMA 3, but allowing for coverage to bystanding assets (i.e. those caught up in, or damaged by a cyber operation, but not those targeted) resulting from cyber operations causing major detrimental impacts to the functioning of a state.
These new wordings are not without controversy. The scale of force required to meet the definition of an armed attack remains highly contentious . State sponsored offensive cyber operations are, by design, as opaque and difficult to attribute as possible. Their value lies in the fact that they take place in the shadows and, with only one or two notable exceptions , almost never give rise to the level and intensity of force required of an armed attack. Thus, creating a set of wordings that would define adequately the parameters of activity insured against in this context has required significant negotiation and compromise.
Cyber and insurance specialist lawyers from DAC Beachcroft have been at the heart of this endeavour from its inception, with both Julian Miller and Hans Allnutt providing expertise to the Lloyd’s Committee on the wording of the draft clauses and their likely impact.
In terms of impact, the success of the new clauses will depend to a large extent on their take-up. Lloyd’s is a highly influential market which has taken an important lead in cyber coverage, and it is reasonable to anticipate that other markets globally may seek to emulate these or to reference them in creating their own cyber war exclusions. Ultimately, however, they will need to be factored-in to coverages and their effectiveness will not properly be put to the test until claims are made following a destructive cyber operation. It is then that perhaps the two most difficult aspects of these clauses will require real analysis: (1) at what point can offensive activity meet the threshold of war, and (2) is a cyber operation attributable to any state?
Article 2(4) to the United Nations Charter , as well as the Tallinn Manual’s definition of the use of force may provide some insight on how to approach question (1) above. Some ambiguity will inevitably remain and it may take time for a settled meaning to emerge. Question (2) has proved even more difficult. Not only do states go to great lengths to ensure the secrecy of their cyber activities, they also seek to blur lines of responsibility in terms of both their own actions and in attributing activity to others. Lloyd’s states that,
The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.
It is conceivable, however, that for any number of political reasons attribution by one state to another may be considered undesirable. Given the secrecy surrounding national cyber assets, it may also be the case that insurers are unable to assess attribution and doubt in this area may leave insureds vulnerable and insurers uncertain of the scale of risk.
That said, there can be little doubt that the current cyber environment demands that insurers are able to provide their clients with viable cover and manageable premiums. Though this area is liable to evolve and potentially in unexpected ways, the new exclusion clauses are likely flexible and pragmatic enough to cope and make a very welcome addition to coverages available in the cyber market.