Back in March 2022, we detailed the significant risks to both insureds and insurers posed by unclear cyber insurance policy wordings, with a particular focus on war exclusion clauses in the aftermath of the decision in Merck and International Indemnity v ACE (et al.)¹. Amidst a rapid expansion in demand for cyber policy coverage² and a heightened risk of state-backed cyberattacks as a result of the ongoing conflict in Ukraine³, the issue remains to be fully resolved.

On 16 August 2022, Lloyd’s of London (Lloyd’s) released Market Bulletin Y5381, which required that Lloyd’s syndicates include certain baseline exclusions for state-backed cyberattacks in their policies from 31 March 2023 at the inception or on renewal of each policy⁴.

This requirement is part of a recent trend of limiting cyber incident coverage, as insurers attempt to limit their exposure for cyber incidents by raising premiums, limiting policy coverage and excluding coverage for certain events. Businesses paid an average of 133 percent more in premiums in December 2021 than the same time in the previous year. Meanwhile, the policy limits in Q1 2022 were roughly half of those offered during the 2021 renewal cycle.

Recent insurance market commentary

In December 2022, Mario Greco, CEO of Zurich Insurance, praised the US government’s steps to discourage ransom payments to cyber attackers⁵. However, he also warned that cyber attacks could become ‘uninsurable,’ because of the rapidly rising impacts, costs and proliferation of ransomware and related cyber incidents - coupled with the increasing commoditization of hacking tools on the one hand and the increasing determination of state and state-sponsored threat actors on the other.

The costs of ransomware, in addition to other destabilizing or destructive attacks, can be measured not just in terms of privacy, but in terms of physical damage, particularly to critical infrastructure and the public sector, which is very expensive to repair.

Know your cyber coverage

It is important that both insureds and insurers clarify the extent and sufficiency of cyber insurance coverage. Without clearly worded exclusion clauses, insureds may mistakenly believe that they are covered for any and all cyberattacks when, in fact, state-backed cyberattacks may be excluded under their policies. Alternatively, insurers may be exposed to losses from what are effectively cyber acts of war, which common insurance policies are not designed to cover⁶.

Tony Chaudhry, Underwriting Director at Lloyd’s, has described the writing of cyber insurance as an “evolving risk” for underwriters, noting that without the exclusion of cyber warfare from coverage, such policies may pose a “systemic risk to insurers”⁷.

Clarity around coverage?

Beginning 31 March 2023, Lloyd’s would require state-backed cyber exclusion clauses to:

In the case of Merck, it was found that insurers could not rely on traditional war exclusion clauses to deny coverage for damage caused by state-backed cyberattacks, because such clauses, “applied only to traditional forms of warfare”⁹. The new exclusions are an attempt by Lloyd’s to counteract that decision and narrow the coverage available.

However, the exclusion of cyberattacks such as the NotPetya malware, would ultimately undermine the utility of, and demand for, cyber policies¹⁰. The exclusions apply even where there is no underlying physical war, which was an issue central to the NotPetya litigation.

NotPetya was attributed to the Russian government by the US and other national governments and is estimated to have cost $10 billion in damages worldwide. Zurich American Insurance denied a $100 million claim for losses arising from the incident to the multinational food company Mondelez under the war exclusion, which excluded coverage for loss arising out of “hostile or warlike actions (…) by any government or sovereign power (…)”. That case settled on 24 October 2022, just before the trial ended, but a denial of coverage based on the NotPetya attack was ruled improper in Merck & Co v. Ace American Insurance, holding that the war exclusion did not apply to the NotPetya attack, as a reasonable understanding of the war exclusion would require it to involve the use of armed forces. Lloyd’s is aiming to avoid the ambiguity associated with applying the war exclusion to cyber-attacks with this new contract language.

Third country damage

A particular issue with state-backed cyberattacks is the potential for such attacks to spread inadvertently beyond the target nation’s borders to a third country, as seen with the NotPetya malware, which initially appeared in Ukraine but subsequently spread worldwide.

The Lloyd’s bulletin includes a requirement for an insurer to “be clear” as to whether cover excludes such damage, however, no further guidance is provided. Accordingly, it remains unclear whether, for instance, collateral damage caused in a third country as a result of a state-backed cyberattack excluded under the Lloyds baseline exclusion, would be covered.

Attribution

Establishing attribution remains a central difficulty in excluding losses incurred by state-backed cyberattacks as, by their very nature, the perpetrator of a cyber-attack is less easily identifiable than the perpetrator of a physical attack.

The Lloyd’s model cyber clauses approach attribution by relying on the determination of the government of the state affected (including its intelligence and security services) as the “primary but not exclusive factor in determining attribution” ¹¹ (emphasis added), although “pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf”.

What may be “objectively reasonable” in an age of (mis)information will be up for debate in many cases, however, Lloyd’s is indicating that the insurer is likely to be the arbiter of attribution, even in the absence of a clear government declaration. In addition to the technical challenges of attributing a cyber-attack to a foreign government, national governments may choose not to make public attribution in order to protect intelligence sources and methods, in light of diplomatic or military considerations, or based on domestic politics. State-sponsors of cyber attacks also base their strategy on plausible deniability, and create semipermeable membranes between criminal and state-directed cyber activities. The Russian Federal Security Service (FSB, formerly known as the KGB) has been known to contract-out traditional espionage activities to criminal hacking groups.

The attribution process takes time, and the first few days after a cyber-attack are critical; organizations are tasked with recovering their systems from the attack and discovering what data and systems may have been affected and how the attack occurred, while also communicating the event to their clients, customers, investors, suppliers, employees and regulators. Legal counsel, breach recovery services, and forensic investigations are critical immediately after a breach is discovered, and their costs may be covered by cyber insurance policies. Unless the exclusion is carefully drafted, organizations could face uncertainty over whether their policy will cover the costs of remediation and third party experts in the early days of an event – and this may be some weeks before attribution is determined (if at all).

Litigation between an insurer and its insured may become a battle of the experts in cases where the insurer itself attributes an attack to a nation-state and denies coverage based on that assessment. Without a mandatory arbitration clause (or other forms of alternative dispute resolution), litigation of this type raises the risks that the types of details that organizations generally want to keep out of the public eye following a cyber-event become public. With these difficulties comes uncertainty, and with the announcement from Lloyd’s, it would appear that companies will bear a greater share of the risk.

Conclusion and Significance

It remains to be seen the extent to which Lloyds’s decision to exclude state-backed cyber-attacks from standard cyber insurance policies will be mimicked by other insurance providers. However, Marsh Insurance initially published a critique of the exclusion requirement shortly after it was published¹², then softened its stance and suggested its own exclusion language some weeks later¹³, perhaps indicating the direction of travel. From the insurance industry’s perspective, it is possible that some of the risk of state-backed attacks are shared with the public sector, as happens with other risks such as terrorism and the pandemic, and this is something which has already been called for by certain insurers.

But, in this new environment, organizations may want to:

Organizations may also want to re-evaluate how best to apportion resources in light of the rapidly escalating cyber threat, the contraction in coverage and the rise in premiums. In essence, the time may come for executives and their Boards to re-examine whether and to what extent premium payments should be re-allocated to self-insurance, captives and improving preparedness, both from an IT and a governance perspective. Setting up captives is something we have advised clients on. One recent organisation explained that their IT function was in fact quietly delighted, following a cyber incident, as the board had subsequently, and immediately, authorised a two-year information security roadmap and budget, which was implemented in less than eight weeks. Every cloud has a silver lining, perhaps, but cybersecurity is not just about IT and no company should wait for catastrophe to strike before optimizing prevention, protection and preparedness.

Ultimately, cyber insurance may still play a central role in a company’s risk-based cyber strategy, but companies should consider starting 2023 with a fresh look at their overall strategy.