Starting in March 2023, Lloyd’s will REQUIRE all its agents to exclude liability for losses from state sponsored cyberattacks.
The problem is defining what is a state sponsored attack.
In a bulletin to its producers last week, Lloyd’s says that it remains strongly supportive of its agents writing cyber policies, it is concerned that the risk could destroy the insurance industry.
So-called “Acts-of-War” clauses have been in general insurance policies for years. The challenge with including them in cyber policies is figuring out what is an act of war.
If a foreign country drops a bomb on your building, it is pretty clear what happened. But it gets muddy when it is a terrorist with an IED. Was that terrorist operating under the direction of a foreign power or was he/she a lone wolf?
When it comes to cyber, it is even more muddy. What is a state sponsored attack?
Lloyd’s says the policies must include exclusions that:
- Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
- (Subject to 3) exclude losses arising from state-backed cyberattacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
- Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) and (b) above, by the state-backed cyberattack.
- Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
- Ensure all key terms are clearly defined.
Item 2 talks about impairing a state. What about private companies? At least item 4 requires them to clearly define the attribution process.
In one of Lloyd’s model clauses it says:
Notwithstanding any provision to the contrary in this insurance, this insurance does not cover
any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly
occasioned by, happening through or in consequence of war or a cyber operation.
This clause doesn’t even say the cyber operation needs to be state sponsored. This would seem to exclude all cyber attacks. If that is the case, then you don’t have any insurance. I don’t think this is what they mean, but it is sloppy language from a lawyer.
While this is not mandatory until next March, I anticipate underwriters adding this now. After all, to them, why not. Credit: CSO Online
IF YOU NEED HELP REVIEWING A POLICY, PLEASE CONTACT US.