Support 110 years of independent journalism.

Lloyd’s of London cyber war exclusion rules come into effect

Lloyd's of London's controversial clause has caused consternation for many in the insurance industry as they rush to abide by the deadline.

By Claudia Glover

A cyber war exclusion clause written by Lloyd’s of London last year has now come into effect. The controversial clause would see effects of state-backed cyberattacks excluded from cyber insurance policies. Some have claimed this is difficult to discern due to the anonymous nature of cyberattacks.

The cyber war exclusion clause was announced in August of last year and recommends that standalone cybersecurity policies exclude coverage of attacks implemented by state-sponsored cybercriminals. Written by Lloyd’s underwriting director Tony Chaudhry, the clause is expected to add clarity to an unclear field that can lead to billions of pounds worth of risk.

“The requirements set out here take effect from 31 March 2023 at the inception or on renewal of each policy,” reads the bulletin. “There is no requirement to endorse existing, in-force policies, unless the expiry date is more than 12 months from 31 March 2023. Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses.”

In implementing the requirements Lloyd’s warned that managing agents would need to consider the terms of their reinsurance programmes, to ensure they provide appropriate, back-to-back cover.

A controversial ruling

The deadline was met with worry as insurers rushed to ensure their policies were in line with the Lloyd’s of London suggestions, said Sarah Stephens, head of international cyber at insurance broker Marsh, to the Financial Times.

Select and enter your email address Your new guide to the best writing on ideas, politics, books and culture each weekend - from the New Statesman. A quick and essential guide to domestic politics from the New Statesman's Westminster team. A weekly newsletter helping you understand the global economic slowdown. The New Statesman’s weekly environment email. Stay up to date with NS events, subscription offers & updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

“Where we feel the mandate has caused undue pressure by not allowing enough time for the commercial market to come up with solutions,” she said, causing insurers to feel “handcuffed” by the tight time frame.

Others have expressed that since the ability to discern the perpetrators of an attack can be an imprecise science, Lloyd’s of London could be lending too much leeway to the exclusion clause. 

Content from our partners
How software will make or break sustainability
Sustainable finance can save us from the energy crisis – with the Luxembourg Stock Exchange
How trailblazers are using smart meters to make the move to net zero

Josephine Wolff, an associate professor of cybersecurity policy at Tufts University’s Fletcher School of Law and Diplomacy, said to the Record in a report that much will likely depend on how attribution for attacks is determined. “I think overall, this bulletin comes pretty close to equating state-backed cyberattacks with acts of cyber war… and that is a substantial shift in policy that I think suggests insurers may be moving towards trying not to cover these types of (very common!) attacks.”

Practically, however, some have suggested that these exclusions will serve to exclude global events such as the NotPetya hack. Craig Dunn, the head of Cyber M&A Insurance EMEA for Aon, told The Record. “Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast majority of insurers are adopting variants where the intention is to only exclude nation-state attacks that form part of an armed conflict or impact the underlying functioning of a state,” he said.

The impact of NotPetya

It was the legal fallout of the NotPetya attack of 2017 that shook the insurance world. A state-backed attack masquerading as ransomware originating in Ukraine, the malware caused more than $10bn worth of damage globally. 

Two global legal battles arose from the attacks, each claiming that they should be covered for the billions in losses. The pharmaceutical company Merck won a lawsuit last year after its insurer, Ace American, declined to cover approximately $1.4bn in losses from the NotPetya attack. In denying the claim, the company unsuccessfully cited a “war exclusion,” claiming it should not be liable for covering the 2017 wiper attack because it was linked to Russian conflict with Ukraine. 

Despite the win, this ruling led many in the insurance industry to scale back coverage to leverage liability.

Mondelez International and Zurich American Insurance reached a settlement in November of last year in their multi-year legal battle over the food company’s $100m claim, regarding damage from the same NotPetya cyberattack.

This piece was originally published on Tech Monitor on 31 March 2023.