Assured Reacts 23.08.2022

Assured Reacts: Lloyd’s of London Excludes Certain Nation-backed Cyber Attacks from Insurance Policies

The what, why and truth between the lines of Lloyd’s of London’s cyber exclusions

What’s happened?

In a market bulletin pushed out by Lloyd’s of London on 16 August 2022, the syndicate marketplace announced that syndicates must exclude losses arising from state-backed cyber attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.

Without describing the excluded attacks as “catastrophic nation-backed attacks”, people have surmised that meaning, and that’s what headlines have run with. The bulletin was set out by Tony Chaudhry, underwriting director at Lloyd’s of London.

Why?

In the bulletin, Lloyd’s explains that cyber risk continues to evolve and “if not managed properly, it has the potential to expose the market to systemic risks that syndicates could struggle to manage.” Cyber insurance is an immature yet increasingly important market thanks to a proliferation of cyber attacks. It’s a continually evolving industry, and insurers are constantly readjusting and getting better at pricing the risk they are insuring.

This move is designed to ensure that insurers clearly state what they will and won’t cover and is an all-important step towards standardisation.

When?

The requirements take effect from 31 March 2023, at the inception or renewal of each policy.

So what is Lloyd’s of London saying?

A Lloyd’s representative told Assured there’s nothing new in the bulletin but that it exists to formally “ask underwriters to have an element of commonality.” A formal statement from a Lloyd’s of London representative states: “Cyber remains a priority area for Lloyd’s. The advisory guidance provided this week, following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires. Rather than applying a ‘one size fits all’ approach to the risk in question, the guidance encourages managing agents to recognise and apply due diligence to the specific complexities around state-sponsored cyber-attacks.”

“Typically, where Lloyd’s of London goes, the rest of the market will, at some point, follow, but for now, the prerogative is theirs.”

What about insurance companies that don’t use Lloyd’s of London syndicates?

They will be able to make their own decisions on whether or not to exclude ‘catastrophic’ nation-backed cyber attacks. Typically, where Lloyd’s of London goes, the rest of the market will, at some point, follow, but for now, the prerogative is theirs.

What are the concerns about this Lloyd’s of London announcement?

A lot of the negative response stems around attribution and the concern that often, an organisation doesn’t know who they’ve been attacked by. Even if it’s possible to identify the group and country behind the attack, it’s tough to prove affiliation with the state. For the insured, it raises concerns that if the absolute worst happens, they won’t have their insurers in their corner. The cynical argue that it’s a move which gives insurers an additional ‘get out of jail free’ card.

What’s the reality?

The reality is that the onus is on the insurer to prove that it was a state-backed cyber-attacks that (a) significantly impaired the ability of a state to function or (b) that significantly impaired the security capabilities of a state. The insured doesn’t have to prove that it wasn’t; the insurer has to prove that it was. The impact of this announcement may therefore be more minor than some headlines suggest.


What’s Assured’s take?

The concern here is that this statement will get taken out of context. This is not a means for insurers to refuse to pay cyber claims. Despite claims to the contrary, Assured stands by the reality that cyber insurance pays out more than any other line of business insurance. The industry will continue to support businesses against the risks cyber imposes.

This is the industry’s pre-emptive action to avoid potential over-exposure to liabilities from a significant uncontrollable (systemic) risk arising from a nation-backed hacking group. Put simply: without this check, there is a risk that insurers will be unable to provide support for the damage caused by these nation-state-backed attacks due to their severity and ability to spread. Consequently, this would cause a systemic loss affecting their entire portfolio of clients. After all, a bust insurer can’t pay anyone.

For the past two years, insurers have focused on limiting aggregate exposure by reducing their insuring capacity line sizes. Excluding systemic loss and nation-state-backed attacks is not new, and this statement from Lloyds is more to draw attention to these exclusions and to review their intent. It also ensures that clients, brokers and insurers alike know coverage intent.

This is not a meaningless restriction of coverage; this is a necessary response to what has become the most prominent threat to any business with online exposure. To continue supporting businesses, realignments of what can and cannot be covered have to be made to continue cyber insurance cover in any form.

For any uncertainty, an insured business can lean on their broker for guidance and determine if this affects a policy already in force.

Latest articles

Be an insider. Sign up now!