Nation-state attacks pose systemic risk to insurers

Insurance marketplace Lloyd’s of London is set to introduce cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023. 

In a market bulletin published on August 16, 2022, Lloyd’s stated that whilst it “remains strongly supportive of the writing of cyber attack cover” it recognises that “cyber-related business continues to be an evolving risk."

Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyber attack in accordance with several requirements. The move is reflective of a maturing and quickly evolving cyber insurance market.

Nation-state attacks pose systemic risk to insurers

In its bulletin, Lloyd’s of London wrote that its consistently emphasises that underwriters need to be clear in their wordings as to the cover they are providing, with clarity surrounding cyber attacks involving state-backed actors of particular importance. 

“When writing cyber attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.”

Lloyd’s aims to ensure that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings, it added. 

“We consider the complexities that can arise from cyber attack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust," it stated.

Moving forward, all standalone cyber attack policies falling within risk codes “CY” and “CZ” must include a suitable clause excluding liability for losses arising from any state-backed cyber attack in accordance with the requirements set out below, Lloyd’s stated. At a minimum, the state-backed cyber attack exclusion must:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (Subject to 3) exclude losses arising from state-backed cyber attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) and (b) above, by the state-backed cyber attack.
4. Set out a robust basis by which the parties agree on how any state-backed cyber attack will be attributed to one or more states.
5. Ensure all key terms are clearly defined.

“This clause must be in addition to any war exclusion (which can form part of the same clause or be separate to it),” Lloyd’s wrote. “Further, given the complexities that can arise in drafting suitable exclusion clauses, managing agents must be able to show that these exclusions have been legally reviewed having regard to the interests of underwriters.”

The requirements will take effect from March 31, 2023, at the inception or on renewal of each policy, with no requirement to endorse existing, in force policies, unless when the expiry date is more than 12 months from March 31, 2023, according to Lloyd’s. 

“Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses (including obtaining any necessary legal review),” it added.

Lloyd’s exclusion predictable, indicates cyber attacks aren’t just about money

Speaking to CSO, Jonathan Armstrong, lawyer and partner at compliance firm Cordery, says Lloyd’s decision to apply exclusions surrounding state-backed cyber attacks is not surprising but does illustrate that cyber attacks are often not just about money. 

“It’s not a surprise – just as terrorism and acts of war have been excluded from conventional insurance coverage for years," he said. 

"We have seen how nation-states use cyberwarfare to raise money for missile programs, etc., but also to spread panic and despair in the same way acts of terror have been used in the offline world for hundreds of years. My gut feel is that non-Lloyd’s insurers will all follow suit, too.”

It is also another indicator that it is becoming increasingly tricky for some organisations to get cyber coverage with things such as premium prices and stricter limitations on the rise, Armstrong continues. “For organisations, it’s a reminder that insurance isn’t the fix to everything. It also reinforces the need for organisations to shore up their own defences.”

Cyber attack attribution biggest issue organisations will face

The real issue that organisations are going to face will be surrounding attribution, Armstrong adds. “Whilst with specialist help you can often say that there are indicators of nation-state involvement, we know it’s hard to be certain. It’s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case.”

Putting proper procedures in place will be key, and to get attribution right an organisation will need proper and effective monitoring on its systems to assist in an investigation. “It is also likely to need specialist help in analysing that evidence,” says Armstrong. 

“As ever, the time to prepare for an attack is before it happens, and some organisations will want to re-test their readiness plans considering the need to gather this evidence to satisfy their insurers that a claim is in scope.”

However, even with accurate attribution of an attacker, businesses could still find it difficult to prove nation-state involvement, cyber security consultant Lisa Forte wrote. 

“Even if you identify the group behind the attack, even if you locate them in a country (let’s say Russia), and even if you can show that the Russian government knew about the group that attacked you and took no action against them, that’s not sufficient under international law to prove that that group’s actions are affiliated with the state," Forte said.

"In fact, even if you had solid proof that the Russian government had paid the group that attacked you, that still would not be sufficient to meet this high bar. The state must exert a level of operational and managerial control over the group to pass this high bar of a test.”

In the U.S. the burden would fall on the insurers to prove the exception applies but that’s not the case in every country, so it could fall on the victim to show the reverse, Forte added. 

“It has been claimed in the sea of analysis on this decision that the attack won’t necessarily need official attribution to be excluded from the policy coverage," she said.

"The insurer can decide … if it is ‘objectively reasonable to attribute cyber attacks to state activities.’ So, the insurer could claim that the attack is excluded because it is ‘reasonable’ to attribute it to a nation-state. Not the clarity we perhaps wanted!”