Nation State Attacks
The cyber insurance market is increasingly concerned about the impact of nation state cyberattacks. Cyber activity during the war in Ukraine has highlighted this risk and what might happen if a cyberattack escalated. The NotPetya zero-day attack in 2017 was another warning. Although intended for infrastructure targets in the Ukraine, businesses were impacted throughout the world.
As cyberattacks evolve and spread, insurers are well aware of the need to manage this type risk and ensure the long-term sustainability of the cyber insurance market.
Action by Lloyd’s
Lloyd’s of London has been proactive in addressing this exposure and the Lloyd’s Market Association (LMA) cyber war working party has issued updated cyber war clauses, which came into effect on 31 March 2023. They are to be implemented on standalone cyber insurance policies underwritten by Lloyd’s Managing Agents.
New Cyber War Model Clauses
While the principal aim is to provide clarity for both insurers and insureds, there are two versions. Understandably, this has drawn criticism.
Version A is where attribution of the cyberattack is clearly stated: “in determining attribution of a cyber operation to a state, the insured and insurer will consider such objectively reasonable evidence that is available to them.”
Version B is where there is no agreement on how a cyber operation is attributed to a nation state to determine whether the exclusions operate. For this, Lloyd’s will require evidence of a mechanism that has been agreed with policyholders on a case-by-case basis.
The ‘A’ clauses can be summarised as follows:
1. LMA5564A: This is a blanket exclusion for any losses occurring or in consequence of war or a cyber operation.
2. LMA5565A: Places specific sub-limits on claims payments in the event of cyber operations. This, however, also excludes absolutely those operations launched in war, in retaliation by specified states, or which cause major detrimental impacts to the functioning of a state.
3. LMA5566A: As per LMA5565A (2 above), but there are no specified sub-limits on claims payment.
4. LMA5567A: As per LMA 3 but allows coverage in respect of “bystanding assets” (i.e., those that may be impacted by a cyber operation, but not those targeted) resulting from cyber operations causing major detrimental impacts to the functioning of a state.
Snapshot of the ‘A’ Cyber War Clauses
• Lloyd’s Insurers may use wording variations of the NMA clauses, and it is therefore important that these clauses are reviewed during placement of a cyber insurance policy.
• To avoid disputes during claims settlements, new definitions such as “Cyber Operations” “Major Detrimental Impact” and “Essential Services” should be clear.
• Focus should be given to how attribution is arrived at and that policyholders understand this process.
Outside of the Lloyd’s cyber insurance market we are seeing other leading cyber insurers adopt their own clauses using different terminology which has been driven by their reinsurers. We are also seeing insurers who have not yet imposed new cyber war clauses. The market has therefore not reached consensus on this important issue.