Insurers "run risk" of being reliant on government cyber warfare declarations
“If you’re going to rely on government declarations, then you run a risk of it being subject to political motivation.”
Lloyd’s set out in August that, from the end of March 2023, its managing agents will have to ensure that war exclusions are up to date where it comes to cyber policies.
In a market bulletin, Lloyd’s said it would be “satisfied” firms had met this criteria through the use of any of the four cyber war exclusion clauses drafted by the Lloyd’s Market Association, though they are not required to use one of these clauses if they have another that fits the criteria.
The mandate may have been intended to give clarity to the market and insureds, but the aftermath of the announcement has seen warnings from within and outside the insurance market over the difficulties of attributing an attack, as well as on litigation risk and the possibility that insurance buyers could be put off the cover despite widely reported anecdotal interest stemming from Russia’s Ukraine conflict.
Read more: New Lloyd’s cyber mandate spurs “grey area” fears
Much of the criticism and concerns stem from a misconception that Lloyd’s will force businesses to use one of the LMA clauses, which suggest that the “primary but not exclusive factor” will be the government of a state confirming it has fallen victim to a cyberattack, according to Newman.
For brokers, including the chair of the UK’s British Insurance Brokers’ Association cyber panel, John Pennick, who spoke to Insurance Business last month, a big fear has been around attribution of an attack – not just how long this could take, but also whether state governments might have a political motivation in declaring or not declaring an alleged attack from another nation state.
“There is a confusion that the Lloyd’s mandate is somehow connected to the LMA exclusions,” Newman, who predicted that most underwriters will not adopt one of the four LMA clauses, said.
“I personally think there’s a weakness inherent within those exclusions, how they’re drafted, and that is not the basis upon which we will be drafting our exclusion,” he added.
Underwriters – particularly those working with SMEs – will likely look within, or elsewhere, for compliant clauses, Newman suggested.
“[The LMA clauses] are drafted as if everybody in the world is a major multibillion dollar global corporate that just relies on its insurance for some balance sheet protection and can wait 12 months for a payout,” Newman said.
“Those claims [coming from smaller enterprises] cannot wait six months for an insurer to work out whether it was a nation state attack or not, therefore attribution needs to happen a lot quicker.
“We’ll have to accept that maybe attribution that needs to happen quicker will be done less accurately – I think that’s fine if both parties agree.”
The mandate itself, in Newman’s view, is “absolutely necessary”.
“It requires a body like Lloyd’s to force people to update wordings and make sure they’re clear for both insurer and insured,” he said.
“The practical reality is that this new mandate will not give rise to new claims being excluded that otherwise would have been covered, because these are all claims that the market would have intended to exclude using the war exclusion.”
The problem posed by relying on war exclusions drafted prior to the developments in cyber – or electronic – warfare was demonstrated in a US January judgment that saw the court come down on the side of pharma giant Merck in its case against insurers.
Merck had sought US$1.4 billion for losses sustained when the NotPetya malware infected 40,000 of its computers in June 2017.
Read next: Cyber incidents – new report highlights the scale of the threat
The insurers had argued that losses were not covered by its “all risks” policy, because the malware was used as an instrument of the Russian Federation in hostilities against Ukraine.
The judge sided with Merck and came close to criticising its insurers for having “failed” to update the policy language to reflect cyber developments.
The language used in the policy had been “virtually the same for many years”, the judge, Hon Thomas Walsh, of the Superior Court of New Jersey, pointed out in the judgment.
The Lloyd’s mandate, which seeks to prevent a repeat of the Merck judgment, can be split into three parts, according to Newman.
The first, is offering clarity that when insurers exclude war, they are also excluding electronic warfare.
“Clearly electronic warfare is an electronic attack by a nation state against another nation state, but it also needs to meet a threshold and materiality so that to be considered cyber war, it must lead to a major detrimental impact to the state that is attacked, or the ability of that state to defend itself, which in plain language is what we’d all call war,” Newman said.
The second element is around being clear whether collateral damage will be covered. For example, the NotPetya ransomware that became the subject of Merck’s claim may arguably have been directed at Ukraine, but it went on to infect systems across the world.
“The mandate simply says, insurers must be clear whether they intend to cover or exclude collateral damage,” Newman commented.
The third is around ensuring that insurers have defined a method for determining how they intend to attribute potentially state-backed attacks.
“People say it’s really difficult to do attribution in the context of electronic attacks, which is true, but [Lloyd’s] simply said, ‘well, given that it’s complicated, please write down how you intend to do the attribution, rather than figuring it out when a claim comes along’,” Newman said.