In a market bulletin published on August 16, 2022, while stating that it “remains strongly supportive of the writing of cyberattack cover”, Lloyd’s stated that it recognizes that “cyber-related business continues to be an evolving risk.” As a result, Lloyd’s will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements. As Lloyd’s stated in the bulletin: “This clause must be in addition to any war exclusion (which can form part of the same clause or be separate to it). At a minimum, the state backed cyber-attack exclusion must:
- exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
- (subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
- be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
- set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
- ensure all key terms are clearly defined.
Further, given the complexities that can arise in drafting suitable exclusion clauses, managing agents must be able to show that these exclusions have been legally reviewed having regard to the interests of underwriters.”
The requirements will take effect from March 31, 2023, at the inception or on renewal of each policy, with no requirement to endorse existing, in force policies, unless when the expiry date is more than 12 months from March 31, 2023, according to Lloyd’s. “Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses (including obtaining any necessary legal review),” it added.
Considerations for Coverage of State-Backed Cyberattacks
As the Wall Street Journal reports, part of the reason why insurers are increasingly leery of covering statebacked cyberattacks is the vast economic damage they can cause. Packaged-food company Mondelez International Inc., which was also a victim of NotPetya (discussed by us in a previous report on the Russia Ukraine situation), claimed $100 million in damages related to the attack, while Britain’s National Health Service said the WannaCry virus cost it over $100 million. The U.S. government has formally attributed NotPetya to Russia and WannaCry to North Korea. Both nations deny involvement.
While exclusions for openly declared war are relatively straightforward, determining attribution for a nation-backed cyberattack is fraught with difficulty. For instance, drawing a line between when a criminal group is simply acting in support of a nation, or actually operating as a state agent, is a challenge, U.S. officials have previously said. Brokers said that determining the degree of damage caused by an attack, which would trigger the exclusions, is similarly tough.
Insurers have been exploring ways to tighten the language in their policies, particularly after a New Jersey
judge last year ruled in favor of Merck & Co. deciding it was entitled to payouts from its insurers after a 2017 cyberattack. Merck had been affected by the NotPetya virus, which it said ultimately cost $1.4 billion to recover from. The company’s property and casualty insurers initially denied the claims on the basis of war exclusions. In that case, the judge said Merck couldn’t reasonably be expected to know that war exclusions would apply to such an event, essentially declaring that a common acts-of-war exclusion doesn’t cover cyberattacks.
The relative youth of the cyber insurance market means there is a lack of standardization around terms and exclusion clauses, ratings firm Moody’s Investors Service Inc., a unit of Moody’s Corp., said in a June note.
Impact to Your Organization
Cyber insurance rates and coverage terms are rapidly changing. This Wall Street Journal article illustrates how the rates have risen dramatically:
- In the second quarter of 2022, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.
- Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners
Our previous report on cyber insurance rates and how to combat them from earlier this year discusses the best way to minimize those rising premiums is to demonstrate the implementation of several key security controls. Just as home insurance companies provide discounts for burglar alarms and other home security controls, cyber insurance companies do so for companies that have implemented key security controls to maximize the protection of their data.
It’s more important than ever to stay informed on how insurance companies are adjusting to cyber trends and how those adjustments are reflected in their rates and coverage terms. Staying informed and implementing sound security controls are your best bet to address today’s volatile cyber insurance market.