Global insurance provider Lloyd's of London has added language to its cyber insurance policies that slashes coverage for state-sponsored attacks, a move that largely reflects the massive impact of supply chain and ransomware attacks on the cyber insurance business.
The Lloyd's Market Association Cyber Business Panel drafted four operating exclusions that put limits on coverage for state-sponsored attacks. The policy excludes coverage for cyberattacks undertaken directly or indirectly as a result of war or cyber operation, according to policy documents released last week.
Underwriting Director Patrick Davison told Cybersecurity Dive that the new model clauses are "illustrative and distributed for the guidance of LMA members," adding that syndicates are free to deviate from the clauses as they see fit.
"Lloyd's new endorsements range in impact," said Andrea DeField, a partner at the law firm of Hunton Andrews Kurth. "Some of the proposed endorsements expand the war exclusion to situations beyond formally declared war and practically eliminate the cyber terrorism exception so as to preclude all coverage arising out of actions 'by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.'"
In contrast, other versions of the endorsement only sublimit the amount of coverage available for losses arising from state-sponsored attacks, so only a small amount of policy limits are available, according to DeField.
The state-sponsorship exclusion marks the latest significant development in the cyber insurance space by Lloyds, which has been discouraging about 100 syndicate members from taking on new business, according to a November report by Reuters.
"The cyber war exclusion is very broad, and attacks don't necessarily have to be attributed to a state actor to qualify for the exclusion," Jess Burn, senior analyst of security and risk at Forrester, told Cybersecurity Dive via email. "Taken together, it seems less about cutting off acts of state-sponsored cyber war and more about cutting losses for the carrier."
Cybersecurity executives have warned about the impact of sophisticated attacks on the insurance market, particularly in connection to the recent surge in ransomware attacks over the past couple of years.
The U.S. Treasury Department reported $590 million in ransomware activity in suspicious activity reports during the first half of 2021, compared with $416 million for the entire year of 2020.
Carolyn Crandall, chief security advocate at Attivo Networks, warned that insurance companies would raise premiums for cyber insurance coverage. Ransomware coverage in particular would be the subject of heightened debate about exclusions under act of war clauses.
"Depending on the answer, which will likely be driven by the level of violence, death or destruction, this can have implications for businesses related to whether insurance companies will use this as an opportunity to opt out of ransomware reimbursements," Crandall said.
Crandall predicted there would be more discussion in 2022 related to inadvertent terrorist funding and retaliation.
Excluding coverage for war-related damage is not a new concept for the insurance industry, and prior nation-state activity has been the subject of debate over how to manage financial losses.
"The challenge in the world of cyber risk is in defining what constitutes an act of war, as well as the notorious difficulty in attributing acts to specific groups, including nation states," Oli Brew, head of client success at CyberCube, a firm that specializes in cyber risk analytics. "There is a spectrum of involvement in nefarious hacking by nation states, from direct involvement by military personnel to complicit funded or enabling activities."
For example, the 2014 attack against Sony was identified as highly likely to have emanated from actors backed by North Korea, Brew said. But despite that high confidence it was considered to have fallen beneath the threshold of war.