Lloyd’s to forbid insurers from covering losses due to state-backed hacks
Lloyd’s of London will require underwriters to exclude coverage for state-backed cyberattacks linked to war or catastrophic damages, the insurance marketplace announced last week, as the expanding industry continues to adapt to a changing cyber threat landscape.
The bulletin, which was released on August 16 and written by Lloyd’s Underwriting Director Tony Chaudhry, lays out requirements for its insurance groups to follow in its cyber policies, beginning at the end of March 2023. At minimum, they must specifically exempt coverage for losses “arising from a war,” as well as from state-backed cyberattacks that “significantly impair the ability of a state to function,” or which impact a state’s security capabilities. It also mandates that syndicates have a clear system for how to attribute an attack to a state-based actor.
“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s Chaudhry wrote.
Joshua Motta, co-founder and CEO of cyber insurance company Coalition, said most insurance policies already exclude acts of war from coverage, “although it is always the insurers’ burden to prove the exclusion applies.”
“The significance of the requirement from Lloyd’s is that it seeks to remove ambiguity in how the war exclusion will be applied,” he said. “This is sound in principle, but it is not yet clear whether it will achieve its goal in practice.”
The mandates from Lloyd’s coincide with concerns about the growing cost of cyberattacks and who is ultimately liable. Earlier this year, the pharmaceutical company Merck won a lawsuit related to the massive NotPetya incident, after its insurer Ace American declined to cover approximately $1.4 billion in losses. In denying the claim, the company unsuccessfully cited a “war exclusion,” claiming it should not be liable for covering the 2017 wiper attack because it was linked to Russian conflict with Ukraine.
Another case related to the incident, filed by the food company Mondelez International against Zurich American Insurance Co., is still pending in an Illinois court.
Although Merck won its suit, the NotPetya fallout resulted in cyber insurers scaling back coverage to mitigate liability. Last year, the Government Accountability Office warned in a report of a growing insurance void in instances where critical infrastructure is targeted, like the 2021 Colonial Pipeline attack. The watchdog recommended that the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Insurance Office (FIO) research a potential federal insurance program to address such events.
Josephine Wolff, an associate professor of cybersecurity policy at Tufts University’s Fletcher School of Law and Diplomacy, said much will likely depend on how attribution for attacks is determined. “I think overall, this bulletin comes pretty close to equating state-backed cyberattacks with acts of cyberwar… and that is a substantial shift in policy that I think suggests insurers may be moving towards trying not to cover these types of (very common!) attacks.”
Aug. 23, 2022: Post updated to include a quote from Tufts professor Josephine Wolff.