Insurance coverage

Lloyd’s to exclude nation-backed catastrophic cyberattacks from insurance coverage

Lloyd’s of London Ltd. will require its insurer groups globally to exclude catastrophic state-sponsored hacks from stand-alone cyber insurance policies from next year.

Lloyd’s is a marketplace where approximately 75 underwriting syndicates come together to provide insurance coverage to businesses, organizations and individuals. Beginning March 31, when coverage begins or renews, unions must exclude state-sponsored cyberattacks from policies that protect against physical and digital harm from hacks, Chief Underwriting Officer Tony Chaudhry said in a statement. august 16 bulletin.

The move is designed to ensure insurers make it clear what they will and will not cover, as the ability of state-sponsored hacks to spread and cause damage could lead to systemic risk in the insurance market. insurance, says the notice.

At a minimum, Chaudhry said, policies should contain clauses that exclude losses from war, declared or undeclared, where the policy does not have a separate war exclusion. They must also rule out casualties when a state-backed attack has a catastrophic effect on the target nation and impairs its ability to function. There must also be a robust process by which the parties decide on the attribution of attacks, according to the notice.

Lloyd’s did not respond to a request for comment.

While the exclusions for openly declared war are relatively straightforward, determining attribution for a country-backed cyberattack is fraught with difficulty. For example, drawing a distinction between when a criminal group is merely acting on behalf of a nation or actually acting as an agent of the state is a challenge, US officials have previously said. Brokers said determining the degree of damage from an attack that would trigger exclusions is equally difficult.

“For most market players, it’s not so much about nation-state activity as about times when that level of activity reaches a financially catastrophic degree,” said Gregory Eskins, chief product officer. cybernetics in the United States and Canada at the brokerage unit Marsh. by Marsh & McLennan Cos. “It’s something we all struggle with.”

Insurers have explored ways to tighten the wording of their policies, particularly after a New Jersey judge last year ruled in favor of Merck & Co. deciding it was entitled to payments from its insurers after a cyberattack in 2017. Merck had been hit by the NotPetya virus, from which it ultimately cost $1.4 billion to recover. The company’s property and casualty insurers initially denied the claims based on wartime exclusions. In that case, the judge stated that Merck could not reasonably be expected to know that the wartime exclusions would apply to such an event, essentially stating that a common wartime exclusion does not cover cyberattacks.

Part of the reason insurers are increasingly wary of covering state-sponsored cyberattacks is the scale of the economic damage they can cause. Mondelez International packaged food company Inc.,

who was also a victim of NotPetya, has sought $100 million in damages related to the attack, while Britain’s National Health Service said the WannaCry virus cost him more than $100 million. The US government has officially assigned NotPetya to Russia and WannaCry to North Korea. Both nations deny any involvement.

Cyber ​​insurance, which has become an increasingly important market due to a proliferation of attacks in recent years targeting businesses of all sizes, has seen a period of readjustment in recent months as insurers better understand how to model and price the risk they run. covering.

Lloyd’s new requirements represent an “evolution” in how the insurance industry approaches cyber, said Thomas Reagan, head of U.S. and Canada cyber practice at Marsh, but the new stipulations also introduce difficulties.

“As with all of these things to some extent, it’s two steps forward and one step back,” Mr. Reagan said. While the bulletin establishes some certainty and clarity around what Lloyd’s expects, he said, it also creates uncertainty for policyholders, such as how to attribute a given cyberattack.

War-related exclusions, in particular, have been hotly debated within the cyberinsurance industry for years, but Russia’s invasion of Ukraine in February has rekindled concerns that a major cyberattack, such as one that destroys critical infrastructure, could lead to catastrophic losses for insurers. . The relative youth of the cyberinsurance market means there’s a lack of standardization around terms and exclusions, ratings firm Moody’s Investors Service Inc., a unit of Moody’s Corp., said in a note. of June.

“In litigation in the United States, insurers generally must show that an exclusion in an insurance policy applies to the case. This puts the burden of proof on insurers in the case of the war exclusion,” Moody’s analysts said in the note. Moody’s declined to comment on the Lloyd’s bulletin.

While Lloyd’s requirement is important because it aims to remove ambiguity about when and where exclusions will be applied to policies, it could also harm victims of hacking, said Joshua Motta, chief executive of Lloyd’s. the insurer Coalition Inc., which offers cyber-specific coverage.

“The other significance is that policyholders may find themselves without essential support or services from their insurer while waiting for the government award,” he said.

The Lloyd’s Market Association – a trade group of managing agents or union-running companies – proposed a number of draft contract terms in November 2021 that would exclude state-sponsored cyberattacks from cyberpolicy coverage. Lloyd’s said in its memo on Tuesday that using these clauses would satisfy its requirements.

More from WSJ Pro Cybersecurity

Write to James Rundle at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8