Major insurance firm Lloyd’s of London has issued a bulletin indicating that its cyber insurance products will no longer cover the fallout of cyber attacks exchanged between nation-states. The insurer said last week that damages from “cyber war” between countries would no longer be covered, and that this definition extends to operations that have “major detrimental impact on the functioning of a state.”
Cyber insurance firm no longer covering fallout of digital war; do attacks on infrastructure count?
The London-based company has been a premier name in insurance for hundreds of years, and since it serves as an insurance marketplace for numerous third parties its decisions will impact scores of other insurers in turn.
The new cyber insurance policies came in the form of a set of four “Cyber War and Cyber Operation Exclusion Clauses,” issued by the company’s underwriting director Patrick Davidson. This comes as insurers have already begun pulling back on cyber coverage, with a recent study finding that Lloyd’s syndicate members cut coverage by about 50% and are charging higher premiums in 2021 due to the global impact of ransomware attacks.
Lloyd’s says that it no longer wants to deal in losses that result from “cyber war.” As the firm defines it, this means cyber attacks during a formal state of war as well as retaliation by one state against another. The most eyebrow-raising component is that this definition also includes cyber operations that have a “major detrimental impact” on a state’s function, something that implies an attack on critical infrastructure (such as the Colonial Pipeline and JBS attacks) might no longer be covered by the market’s cyber insurance policies.
While the terms of coverage are not entirely clear, the firm did specify countries that the new terms would apply to: China, France, Japan, Russia, the United Kingdom and the United States.
Cyber attacks connected to APT groups may face coverage issues
With this move Lloyd’s is making an attempt to apply binding legal terms to a shadowy world of cyber intrigue that mostly functions on plausible deniability. No country lays claim to the “advanced persistent threat” (APT) groups that they are associated with; the link is generally established by security researchers that note patterns and small pieces of evidence that these groups leave behind.
For decades, there has been some expectation that these countries will quietly hack each other without it necessarily even provoking a public acknowledgment (and an escalation to a “hot war” being completely off the table thus far). The wording of the Lloyd’s bulletin does not entirely make clear what the legal standard would be to consider cyber attacks that are tenuously linked to an APT group as an act of “cyber war” for the purposes of denial of cyber insurance coverage.
Even more worrying is that cyber attacks on critical infrastructure might trigger a denial of cyber insurance, even if the attacks did not come from a known nation-state actor. The threshold appears to be only that the attack produce a “major impact” on some function of a nation-state, another element that is not completely legally defined. Lloyd’s does specify that there does not need to be official attribution of the attack to a state actor to trigger the clause; the insurer can use “inference which is objectively reasonable” to determine for themselves if any given cyber attacks meet these new standards. Insurers will also not need to wait on government attribution that might be forthcoming if they determine that attribution is taking “an unreasonable amount of time.”
With all of this vague language, the cynical view would be that Lloyd’s wants to give the insurers in its market a broad escape hatch to be used to get out of the most expensive cases. Ransomware in particular, which has risen to an average tally of $2 million in recovery costs in 2021 (up from about $750,000 in 2020). Ransomware attacks have also become more targeted in the past year, with criminal gangs showing a preference for larger organizations that are known to carry cyber insurance policies.
The development is not entirely new, however; some insurers have been testing the waters of war exclusions for cyber attacks for several years now. In the wake of the 2017 NotPetya ransomware attack, Zurich Insurance Group AG used government attributions of the attack to Russia as a reason to deny payments for damages to snack giant Mondelez and there have been explorations of the idea in the insurance industry ever since. Some of the war exclusions that firms are invoking rely on insurance law that dates back to the earlier part of the 20th century, when televisions were just beginning to become a common household item.
Though firms are paring back coverage due to costs created by the ongoing crime wave of cyber attacks, demand for cyber insurance has continued to go up throughout 2021.
Chris Reese, Head of Insurance at Cowbell Cyber, points out that the market may not tolerate policies that don’t appear to keep companies safe and that this may be a prompt for an industry-wide re-examination of terms: “Cybersecurity and cyber insurance are complementary … Cyber coverage delivers financial protection and incident response expertise to assist businesses in returning to normal operations after an incident. This is why 95% of US-based insurance brokers reported an increase in demand for cyber insurance in Q3 (CIAB quarterly research). In parallel, cyber insurance is in transition. Insurers need to overhaul their underwriting strategies to account for the unique nature of cyber risk – evolving threats, rapidly expanding exposures because of digitization, complexity of IT infrastructure – to avoid any disconnect with the risk they commit to cover. Technology, data, and automation have become core to modern underwriting for cyber.”