A critical, but long-anticipated decision by Lloyd's last week to phase out coverage for state-sponsored cyberattacks illustrates an insurance market that has been under increasing financial pressure for years. It also raises questions for U.S. companies about their preparedness and long-term risks amid more dangerous and sophisticated threats.
“Cyber remains a priority area for Lloyd's,” a spokesman said in an emailed statement. This month’s advisory guidance, “following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires."
The company said it will continue to take a pragmatic and innovative approach to supporting the growth of cyber.
Lloyd's policy says the company’s role is to support a competitive and resilient cyber insurance market, but the bulletin has not mandated clauses for managing agents. Instead of applying a one-size-fits-all approach, the new guidance encourages managing agents to apply due diligence to the specific complexities of state-sponsored attacks.
“These exclusions highlight the difficulty and complexity of cyberattacks, and with the dynamic nature of evolving cyberthreats, they provide an extra layer of protection from insurers for attacks that are stemming from state-based actors,” Sridhar Manyem, director, industry research and analytics at A.M. Best.
The guidance comes at a time when the cyber insurance market is under tremendous pressure due to the rise in ransomware attacks in recent years. Pressure has also arisen from the fallout of Russia's invasion of Ukraine in February, which has sparked considerable fears of attacks against critical infrastructure.
Data from S&P Global Ratings in July show considerable turbulence in the cyber insurance market. Cyber insurance premiums are expected to rise 25% per year to reach $22.5 billion in 2025, compared with about $9 billion in 2021.
There was a 232% increase in ransomware claims from 2019 to 2021, the report shows, and a 54% rate of nonpayment for ransomware claims during the first quarter of 2022, up from 15% during the first quarter of 2019.
”There are other vexing issues that the market still needs to confront with relation to cyber war exclusions, including who bears the burden of proof in establishing the origins of a cyber incident, the extent of state involvement and the relevance of an attack to a conflict’s aims,” said Manuel Adam, associate director, S&P Global Insurance Ratings.
A study released earlier this month from Blackberry and Corvus shows widespread issues with coverage among small to midsize organizations, which often lack the financial resources of large enterprises.
Only 55% of respondents had cyber insurance coverage, and 78% added on cyber-related coverage to a previously existing policy, an indication that cyber is not the priority coverage.
Of those with coverage, only 44% are insured for losses up to about $600,000, which is well below the threshold for the median ransomware demand based on 2021 data. The study is based on a survey of 450 IT and security decision makers in the U.S. and Canada by Team Lewis Research.
Change is afoot
Analysts say the changing guidance from Lloyd's is a logical step in response to the enormous pressure placed on coverage.
“It’s another step forward for the market in providing more clarity around what standalone cyber insurance coverage includes and does not include,” Heidi Shey, principal analyst at Forrester, said via email.
Insurers are under pressure to reduce their risks to be profitable, which is why they have imposed more restrictive underwriting standards and are asking additional questions of companies seeking new coverage or renewing existing policies, according to Shey.
The new exclusions are essentially a continuation of the cyber war and cyber operation exclusion clauses from Lloyd’s Market Association, which went into effect earlier this year, according to Andrea DeField, a partner at Hunton Andrews Kurth in Miami.
“Those exclusions released in January were more of a sea change in the industry, with [this month’s] pronouncements seemingly clarifying those exclusions for future policies,” DeField said via email.
Evidence of change across the market
Lloyd’s isn’t alone in rethinking its policies. Munich Re, a Germany-based reinsurer, disclosed plans in April to add additional language into cyber coverage that protects against acts of war.
“Munich Re is determined to eliminate systemic cyber war exposure,” a spokesperson for Munich Re said via email.
The spokesperson said a number of sample exclusion clauses that are appropriate for the modern-day market environment have started to emerge. The spokesperson cited the LMA War, Cyber War and Cyber Operations exclusions.
“Munich Re has started and is determined to introduce the newly available war exclusions or clauses with similar intent that adequately address the specific challenges of cyber,” the spokesperson said.
The policy changes could cause difficulties for companies obtaining cyber policies. The policy exclusions at Lloyd's will make it more difficult for companies to obtain coverage for a wide range of cyberattacks, according to Cindy Jordano, a partner at Cohen Ziffer Frenchman & McKenna, a law firm specializing in insurance recovery.
The firm represented high-speed trading company Virtu Financial after Axis Insurance denied coverage on a social engineering attack, which led to almost $11 million in losses. The suit, filed in federal court, reached settlement earlier this year.
“In practice, enforcement of this new exclusion will present challenges,” Jordano said. “Insurers face the burden of proving that exclusions unambiguously exclude coverage, and with the Lloyd's exclusion, insurers will likely face challenges proving that cyberattacks are, in fact, state backed given the undercover nature of many of these attacks."
Correction: The story was updated to reflect the final settlement amount in the Virtu Financial case was not publicly disclosed. The suit arose after Axis Insurance initially denied Virtu Financial coverage on a social engineering attack, which led to almost $11 million in losses.