The chief executive of Lloyd’s of London warned last week that it could suffer a short-term hit to its income as a result of its controversial cyberwar exclusions.

Lloyd’s, which is not an insurer itself but a corporate body and market for insurance underwriters, was criticized last year after developing several exclusions allowing insurers to reject claims in the event of state-sponsored cyberattacks.

During a Q&A session on March 23 following its annual results announcement, Lloyd’s chief executive John Neal said it was “self-evident” that underwriters could not provide “carte blanche” cover for cyberwar.

“We cannot leave ourselves in a … situation where, for example, with business interruption claims, we're debating the cover at the point of loss,” he said, as reported by Insurance Insider, adding that even if the stance meant a short-term hit on income, cyber remains the fastest growing product in the market.

The development of the exclusions followed several high-profile and multi-year legal cases related to claims around the NotPetya cyberattack in 2017 that reportedly caused more than $10 billion in global damages.

The destructive attack had been designed by a cyber unit of the Russian military intelligence service and first introduced into a popular Ukrainian accounting company’s software.

However, it quickly spread beyond Ukraine to hit numerous other countries and companies, including Mondelez and Merck.

Last year, Mondelez International and Zurich American Insurance reached a settlement in their multi-year legal battle over the food company’s $100 million claim.

That followed a New Jersey court ruling in favor of Merck, which had sued its insurer, Ace American, for refusing to cover the damages it suffered because of NotPetya.

In that case, the court dismissed Ace Americans’ defense that the attack was an “act of war” and therefore excluded by the insurance contract. Merck’s lawyers successfully argued that “acts of war” as defined in the contract referred exclusively to “official state actions,” which didn’t apply to the NotPetya attack.

The United States and United Kingdom have attributed the NotPetya malware to the Russian Federation, with the National Cyber Security Centre finding the Russian military was “almost certainly responsible” — the highest confidence rating the intelligence agency gives. The Kremlin has repeatedly denied it orchestrated the attack.

NotPetya’s impact on cyber insurance market

Craig Dunn, Aon’s head of Cyber M&A Insurance for Europe, the Middle East and Africa, previously told The Record that the NotPetya incident left the whole insurance market feeling the war exclusions included in most policies were not fit for purpose.

NotPetya highlighted the risks that a catastrophic cyberattack could pose for the insurance industry, which could find itself without the capital to support claims.

“There are a lot of concerns about aggregation of risk. Unlike in property insurance where insurers can diversify risk by simply ensuring they don’t insure too many homes or businesses in one geographical region — the same cannot be said of cyber,” explained Dunn.

Part of the problem is a lack of technological diversity within the technology sector, with so many businesses using Windows and relying on cloud services provided by a limited number of vendors, Dunn said, “meaning risk can’t be diversified based on geographical location, so insurers must be careful not to take on too much risk.”

However, U.S. insurers have not yet adopted similar exclusions to Lloyd’s, potentially meaning customers would seek coverage from those companies rather than insurers and reinsurers operating within the British market’s fold.

Lloyd’s revamp developed the concept of an impact state, where the only losses excluded would be those incurred within a war zone or within the country where the critical national infrastructure has been severely damaged. “Losses suffered in other countries, where critical national infrastructure (CNI) remains operational and where no state of war exists, would be covered,” explained Dunn.

“Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast majority of insurers are adopting variants where the intention is to only exclude nation-state attacks that form part of an armed conflict or impact the underlying functioning of a state. In short, the intention is generally not to exclude something like North Korea hacking Sony back in 2014.”

As an example, Dunn said that if a multinational company’s IT infrastructure in Ukraine were affected by a Russian cyberattack then the policy would not cover the losses inside Ukraine because it is in a state of war.

“However, if their operations in the U.S. or U.K. are also impacted, any losses stemming from this would be covered, since the U.S. and U.K. are outside of the war zone and have not suffered attacks against their CNI.”