Lloyds Market Bulletin Y5381
Back in March 2022, we detailed the significant risks to both insureds and insurers posed by unclear cyber insurance policy wordings, with a particular focus on war exclusion clauses in the aftermath of the decision in Merck and International Indemnity v ACE (et al.)1. Amidst a rapid expansion in demand for cyber policy coverage2 and a heightened risk of state-backed cyberattacks as a result of the ongoing conflict in Ukraine3, the issue remains to be fully resolved. On 16 August 2022, Lloyd’s of London (Lloyd’s) released Market Bulletin Y5381, which required that Lloyd’s syndicates include certain baseline exclusions for state-backed cyberattacks in their policies from 31 March 2023 at the inception or on renewal of each policy4. This requirement is part of a recent trend of limiting cyber incident coverage, as insurers attempt to limit their exposure for cyber incidents by raising premiums, limiting policy coverage and excluding coverage for certain events. Businesses paid an average of 133 percent more in premiums in December 2021 than the same time in the previous year. Meanwhile, the policy limits in Q1 2022 were roughly half of those offered during the 2021 renewal cycle.
Recent insurance market commentary
In December 2022, Mario Greco, CEO of Zurich Insurance, praised the US government’s steps to discourage ransom payments to cyber attackers5. However, he also warned that cyber attacks could become ‘uninsurable,’ because of the rapidly rising impacts, costs and proliferation of ransomware and related cyber incidents - coupled with the increasing commoditization of hacking tools on the one hand and the increasing determination of state and state-sponsored threat actors on the other. The costs of ransomware, in addition to other destabilizing or destructive attacks, can be measured not just in terms of privacy, but in terms of physical damage, particularly to critical infrastructure and the public sector, which is very expensive to repair.
Know your cyber coverage
It is important that both insureds and insurers clarify the extent and sufficiency of cyber insurance coverage. Without clearly worded exclusion clauses, insureds may mistakenly believe that they are covered for any and all cyberattacks when, in fact, state-backed cyberattacks may be excluded under their policies. Alternatively, insurers may be exposed to losses from what are effectively cyber acts of war, which common insurance policies are not designed to cover6. Tony Chaudhry, Underwriting Director at Lloyd’s, has described the writing of cyber insurance as an “evolving risk” for underwriters, noting that without the exclusion of cyber warfare from coverage, such policies may pose a “systemic risk to insurers”7.
Clarity around coverage?
Beginning 31 March 2023, Lloyd’s would require state-backed cyber exclusion clauses to:
- exclude losses which arise from a war (whether declared or not), where the policy does not have a separate war exclusion;
- exclude losses arising from state-backed cyber attacks that significantly impair (a) the ability of a state to function or (b) the security capabilities of a state8;
- be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in (a) & (b) above, by the state-backed cyber-attack;
- set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states; and
- ensure all key terms are clearly defined.
In the case of Merck, it was found that insurers could not rely on traditional war exclusion clauses to deny coverage for damage caused by state-backed cyberattacks, because such clauses, “applied only to traditional forms of warfare”9. The new exclusions are an attempt by Lloyd’s to counteract that decision and narrow the coverage available. However, the exclusion of cyberattacks such as the NotPetya malware, would ultimately undermine the utility of, and demand for, cyber policies10. The exclusions apply even where there is no underlying physical war, which was an issue central to the NotPetya litigation. NotPetya was attributed to the Russian government by the US and other national governments and is estimated to have cost $10 billion in damages worldwide. Zurich American Insurance denied a $100 million claim for losses arising from the incident to the multinational food company Mondelez under the war exclusion, which excluded coverage for loss arising out of “hostile or warlike actions (…) by any government or sovereign power (…)”. That case settled on 24 October 2022, just before the trial ended, but a denial of coverage based on the NotPetya attack was ruled improper in Merck & Co v. Ace American Insurance, holding that the war exclusion did not apply to the NotPetya attack, as a reasonable understanding of the war exclusion would require it to involve the use of armed forces. Lloyd’s is aiming to avoid the ambiguity associated with applying the war exclusion to cyber-attacks with this new contract language.
Third country damage
A particular issue with state-backed cyberattacks is the potential for such attacks to spread inadvertently beyond the target nation’s borders to a third country, as seen with the NotPetya malware, which initially appeared in Ukraine but subsequently spread worldwide. The Lloyd’s bulletin includes a requirement for an insurer to “be clear” as to whether cover excludes such damage, however, no further guidance is provided. Accordingly, it remains unclear whether, for instance, collateral damage caused in a third country as a result of a state-backed cyberattack excluded under the Lloyds baseline exclusion, would be covered.
Establishing attribution remains a central difficulty in excluding losses incurred by state-backed cyberattacks as, by their very nature, the perpetrator of a cyber-attack is less easily identifiable than the perpetrator of a physical attack. The Lloyd’s model cyber clauses approach attribution by relying on the determination of the government of the state affected (including its intelligence and security services) as the “primary but not exclusive factor in determining attribution” 11 (emphasis added), although “pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf”. What may be “objectively reasonable” in an age of (mis)information will be up for debate in many cases, however, Lloyd’s is indicating that the insurer is likely to be the arbiter of attribution, even in the absence of a clear government declaration. In addition to the technical challenges of attributing a cyber-attack to a foreign government, national governments may choose not to make public attribution in order to protect intelligence sources and methods, in light of diplomatic or military considerations, or based on domestic politics. State-sponsors of cyber attacks also base their strategy on plausible deniability, and create semipermeable membranes between criminal and state-directed cyber activities. The Russian Federal Security Service (FSB, formerly known as the KGB) has been known to contract-out traditional espionage activities to criminal hacking groups. The attribution process takes time, and the first few days after a cyber-attack are critical; organizations are tasked with recovering their systems from the attack and discovering what data and systems may have been affected and how the attack occurred, while also communicating the event to their clients, customers, investors, suppliers, employees and regulators. Legal counsel, breach recovery services, and forensic investigations are critical immediately after a breach is discovered, and their costs may be covered by cyber insurance policies. Unless the exclusion is carefully drafted, organizations could face uncertainty over whether their policy will cover the costs of remediation and third party experts in the early days of an event – and this may be some weeks before attribution is determined (if at all). Litigation between an insurer and its insured may become a battle of the experts in cases where the insurer itself attributes an attack to a nation-state and denies coverage based on that assessment. Without a mandatory arbitration clause (or other forms of alternative dispute resolution), litigation of this type raises the risks that the types of details that organizations generally want to keep out of the public eye following a cyber-event become public. With these difficulties comes uncertainty, and with the announcement from Lloyd’s, it would appear that companies will bear a greater share of the risk.
Conclusion and Significance
It remains to be seen the extent to which Lloyds’s decision to exclude state-backed cyber-attacks from standard cyber insurance policies will be mimicked by other insurance providers. However, Marsh Insurance initially published a critique of the exclusion requirement shortly after it was published12, then softened its stance and suggested its own exclusion language some weeks later13, perhaps indicating the direction of travel. From the insurance industry’s perspective, it is possible that some of the risk of state-backed attacks are shared with the public sector, as happens with other risks such as terrorism and the pandemic, and this is something which has already been called for by certain insurers. But, in this new environment, organizations may want to:
- pay particular attention to how terms like “cyber operation” are defined, and how attribution will be determined in cases of suspected state-backed cyber attacks;
- scour definitions integral to policy coverage, such “software systems”, “networks” and “equipment,” to ensure appropriate coverage, including when attacks impact third party applications, vendors, virtual networks and cloud services;
- verify the extent to which insurance company pre-approval is required, including in the heat of a crippling attack; and
- confirm they have robust and tested breach response plans in place, aligned with insurers, and that insurers have pre-approved the companies’ preferred outside counsel (not just panel counsel), forensic providers and crisis communicators.
Organizations may also want to re-evaluate how best to apportion resources in light of the rapidly escalating cyber threat, the contraction in coverage and the rise in premiums. In essence, the time may come for executives and their Boards to re-examine whether and to what extent premium payments should be re-allocated to self-insurance, captives and improving preparedness, both from an IT and a governance perspective. Setting up captives is something we have advised clients on. One recent organisation explained that their IT function was in fact quietly delighted, following a cyber incident, as the board had subsequently, and immediately, authorised a two-year information security roadmap and budget, which was implemented in less than eight weeks. Every cloud has a silver lining, perhaps, but cybersecurity is not just about IT and no company should wait for catastrophe to strike before optimizing prevention, protection and preparedness. Ultimately, cyber insurance may still play a central role in a company’s risk-based cyber strategy, but companies should consider starting 2023 with a fresh look at their overall strategy.