A cyber war exclusion clause written by Lloyd’s of London last year has now come into effect. The controversial clause would see effects of state-backed cyberattacks excluded from cyber insurance policies. Some have claimed this is difficult to discern due to the anonymous nature of cyberattacks.
The cyber war exclusion clause was announced in August of last year and recommends that standalone cybersecurity policies exclude coverage of attacks implemented by state-sponsored cybercriminals. Written by Lloyd’s underwriting director Tony Chaudhry, the clause is expected to add clarity to an unclear field that can lead to billions of pounds worth of risk.
“The requirements set out here take effect from 31 March 2023 at the inception or on renewal of each policy,” reads the bulletin. “There is no requirement to endorse existing, in-force policies, unless the expiry date is more than 12 months from 31 March 2023. Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses.”
In implementing the requirements Lloyd’s warned that managing agents would need to consider the terms of their reinsurance programmes, to ensure they provide appropriate, back-to-back cover.
A controversial ruling
The deadline was met with worry as insurers rushed to ensure their policies were in line with the Lloyd’s of London suggestions, said Sarah Stephens, head of international cyber at insurance broker Marsh, to the Financial Times.
“Where we feel the mandate has caused undue pressure by not allowing enough time for the commercial market to come up with solutions,” she said, causing insurers to feel “handcuffed” by the tight time frame.
Others have expressed that since the ability to discern the perpetrators of an attack can be an imprecise science, Lloyd’s of London could be lending too much leeway to the exclusion clause.
Josephine Wolff, an associate professor of cybersecurity policy at Tufts University’s Fletcher School of Law and Diplomacy, said to the Record in a report that much will likely depend on how attribution for attacks is determined. “I think overall, this bulletin comes pretty close to equating state-backed cyberattacks with acts of cyber war… and that is a substantial shift in policy that I think suggests insurers may be moving towards trying not to cover these types of (very common!) attacks.”
Practically, however, some have suggested that these exclusions will serve to exclude global events such as the NotPetya hack. Craig Dunn, the head of Cyber M&A Insurance EMEA for Aon, told The Record. “Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast majority of insurers are adopting variants where the intention is to only exclude nation-state attacks that form part of an armed conflict or impact the underlying functioning of a state,” he said.
The impact of NotPetya
It was the legal fallout of the NotPetya attack of 2017 that shook the insurance world. A state-backed attack masquerading as ransomware originating in Ukraine, the malware caused more than $10bn worth of damage globally.
Two global legal battles arose from the attacks, each claiming that they should be covered for the billions in losses. The pharmaceutical company Merck won a lawsuit last year after its insurer, Ace American, declined to cover approximately $1.4bn in losses from the NotPetya attack. In denying the claim, the company unsuccessfully cited a “war exclusion,” claiming it should not be liable for covering the 2017 wiper attack because it was linked to Russian conflict with Ukraine.
Despite the win, this ruling led many in the insurance industry to scale back coverage to leverage liability.
Mondelez International and Zurich American Insurance reached a settlement in November of last year in their multi-year legal battle over the food company’s $100m claim, regarding damage from the same NotPetya cyberattack.
This piece was originally published on Tech Monitor on 31 March 2023.