Lloyd’s of London Ltd. has told its global network of insurer groups that new or renewed cyber insurance coverage policies must exclude nation-state attacks as of March 31, 2023. The insurer cited systemic risk to the insurance market as the reason for the change, also adding that policies must also exclude losses from war unless there is a separate exclusion of this type.
The policy change once again raises questions about how nation-state attacks are classified for insurance purposes; it is very rare for there to be clear evidence available to the public demonstrating that a state-backed group was responsible for an incident, with attribution by world governments ranging from inference to classified non-public information to simple political maneuvering.
“Catastrophic” nation-state attacks no longer covered by Lloyd’s underwriters as of 2023
Firms are looking for ways to pare back cyber insurance coverage as costs mount, driven by recent increases in crime (particularly ransomware). Nation-state attacks are most often targeted and more about espionage than theft or causing damage, but the consequences sometimes spill over to do considerable damage to other organizations.
The NotPetya incident of 2017 appears to be the primary factor in driving this decision. A protracted legal battle between Merck and its fleet of insurers over $1.4 billion in damage caused by that attack finally ended in a ruling in Merck’s favor last year. Cyber insurance coverage had previously been relying on an “acts of war” exception to address incidents such as these, but the ruling establishes legal precedent that undermines that position. The invasion of Ukraine has stoked fears that similar cyber exchanges will slip containment and cause similarly vast damage, particularly to critical infrastructure. There has already been at least one smaller incident of this nature — the AcidRain malware that was aimed at Ukraine’s ViaSat service at the start of the war, but also ended up in a large wind turbine system in Germany.
Insurers are looking to pull back on risk as companies are increasing their demand for cyber insurance coverage, and this swing in market dynamics is causing a major reorganization of the industry. Lloyd’s has been planning a change of this nature for some time, drafting an assortment of new contractual clauses in late 2021 that were aimed at clarifying when cyber attacks can be considered acts of war and catastrophically damaging enough to be excepted from coverage.
The exemption terms of the new Lloyd’s agreement name several specific countries: China, France, Japan, Russia, the UK and the US. It also names specific essential services that can be exempted from cyber insurance coverage if nation-state attacks cripple them: financial institutions, financial market infrastructure, health services and utilities among them. Managing agents have some leeway to include their own clauses, but must explain their approach and seek permission from Lloyd’s first.
Terms of cyber insurance coverage allow insurer to make “inferences” without state attribution
All of the upcoming changes to cyber insurance coverage hinge on how nation-state attacks are defined. This is likely the most controversial part of the arrangement. Lloyd’s will defer to government attribution, but that is not the only qualifier. In the absence of such attribution, the company reserves the right to make an “inference which is objectively reasonable” on its own. It intends to make these decisions if a government takes “an unreasonable amount of time, does not, or is unable to attribute the cyber-operation to another state or those acting on its behalf.”
The “acting on its behalf” language creates particular confusion regarding certain types of non nation-state attacks. Russia’s hacking groups, which the state has long turned a blind eye to but does not necessarily associate with or provide any material support to, are often behind ransomware attacks. The language seems to be included specifically to tie these sorts of independent criminal groups to nation-state attacks.
Some projections see the number of organizations unable to afford adequate cyber insurance coverage doubling in just a year. With average ransom demands now reaching into the multiple millions of dollars, and clean-up costs often in the tens of millions, many companies entirely count on insurance to cover payments when ransomware attacks hit them.
The general tightening of the cyber insurance coverage market due to increased costs began over a year ago, with AXA France becoming the first of the major insurers to cut ransomware payment reimbursements from their offerings. By late 2021 there was an established trend of insurers making changes to prices, limits and coverage; there was a fairly standard halving of limits across the market by the end of the year.
David Lindner, CISO at Contrast Security, sees this market change as a “new normal” and a prompt for organizations to ensure they are properly defended to as much of a degree as possible: “Organizations cannot just rely on their cyber insurance policy and must proactively protect themselves from these catastrophic cyber-attacks.”