Lloyds would exclude devastating nation-backed cyber attacks from insurance coverage

Lloyds of London Ltd. will require its insurer groups globally to weed out horrific state-backed hacks from stand-alone cyber insurance policies starting next year.

Lloyd’s is a marketplace where approximately 75 syndicates of underwriters gather to provide insurance coverage for businesses, organizations and individuals. By March 31, when coverage begins or is renewed, the syndicate should exclude state-backed cyberattacks from policies that cover physical and digital damage caused by hacks, underwriting director Tony Chaudhry said in a bulletin dated August 16. saves from

The notice said the move is designed to ensure that insurers are clearly stating what they will and will not cover, because of the potential for state-backed hacks to spread and cause damage in the insurance market. may pose a systemic risk, the notice said.

At a minimum, Mr Chowdhury said, policies should have clauses that exclude damage arising from war, declared or otherwise, where the policy does not have a separate war exclusion. They should also exclude losses where a state-backed attack has a devastating effect on the target nation and impairs its ability to function. According to the notice, there should also be a robust process by which the parties decide the attribution for attacks.

Lloyds did not respond to a request for comment.

Newsletter Sign-Up

WSJ Pro

Cyber ​​security

Cybersecurity news, analysis and insights from the WSJ’s global team of journalists and editors.

While the exclusions for an openly declared war are relatively simple, the attribution for a nation-backed cyberattack is difficult to determine. For example, it’s a challenge to draw a line between when a criminal group is acting in support of a nation, or actually acting as a state agent, US officials have said previously. Brokers said that determining the amount of damage caused by an attack that would trigger an exclusion is equally difficult.

“For most market participants, it’s not so much about nation-state activity as it increases the level of activity to a degree of catastrophe in financial terms,” ​​said Gregory Eskins, US and Canada Cyber ​​Product Leader at Marsh Brokerage Unit. of Marsh and McLennan Cos. “That’s the thing we’re all wrestling with.”

Insurers are exploring ways to reinforce the language in their policies, especially after a New Jersey judge last year ruled in favor of Merck & Co. was entitled to be paid. Merck was affected by the NotPetya virus, which it said ultimately cost $1.4 billion to recover. The company’s property and casualty insurers initially denied claims based on exclusions of war. In that case, the judge said that Merck could not reasonably be expected to know that the war exclusion would apply to such an incident, essentially declaring that ordinary acts of war did not involve cyberattacks. .

One of the reasons insurers are increasingly moving to cover state-backed cyber attacks is because of the huge economic damage they can cause. Packaged-food company Mondelez International Inc., which was also a victim of Notpetya, claimed $100 million in damages related to the attack, while Britain’s National Health Service said the WannaCry virus cost more than $100 million. The US government has formally attributed Russia to Notpetya and North Korea to WannaCry. Both countries refuse to join.

Cyber ​​insurance, which has become an increasingly important market in recent years due to the proliferation of attacks targeting companies of all sizes, has been going through a period of readjustment in recent months, as carriers better understand how they model and value risk. the cover.

Thomas Reagan, US and Canada cyber practice leader at Marsh, said the new Lloyd’s requirements represent an “evolution” in how the insurance industry is approaching cyber, but the new terms also present difficulties.

“To some degree with all these things, it’s two steps forward and one step back,” Mr Reagan said. While the bulletin establishes some certainty and clarity about Lloyd’s expectations, he said, it also creates uncertainty for policyholders, such as how to attribute a given cyberattack.

War exclusion in particular has been the subject of fierce debate within the cyber-insurance industry for years, but Russia’s invasion of Ukraine in February raised concerns that a major cyberattack, such as one that took down critical infrastructure, could harm insurers. can cause catastrophic loss. Rating firm Moody’s Investors Service Inc., a unit of Moody’s Corp., said in a June note, the relative youth of the cyber-insurance market means there is a lack of standardization around terms and exclusion clauses.

“In US litigation, insurers must generally demonstrate that an exclusion within the insurance policy applies to the case. This places the burden of proof on insurers in the case of war exclusion,” Moody’s analysts note in the note. Said Moody’s declined to comment on Lloyd’s bulletin.

While Lloyd’s requirement is important because it seeks to remove ambiguity about when and where exclusions will be applied to policies, it could also harm hack victims, said Joshua Motta, chief executive of insurer Coalition Inc. Provides cyber-specific coverage.

“The second importance is that policyholders may be left without support or critical services from their insurer pending a government charge,” he said.

The Lloyd’s Market Association – the companies that lead a trade group, or syndicate, to manage agents – came out with a number of draft contractual clauses in November 2021 that would exclude state-backed cyberattacks from coverage in cyber policies. Lloyds said in its note on Tuesday that the use of these clauses would meet its requirements.

Over WSJ Pro Cyber ​​Security

write to James Rundle at

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Source