Lloyd's of London suggests insurers should not cover 'retaliatory cyber operations' between nation states
And they might attribute cyber attacks if governments won't
Lloyd’s of London may no longer extend insurance cover to companies affected by acts of war, and new clauses drafted for providers of so-called "cyber" insurance are raising the spectre of organisations caught in tit-for-tat nation state-backed attacks being left high and dry.
The insurer's "Cyber War and Cyber Operation Exclusion Clauses", published late last week, include an alarming line suggesting policies should not cover "retaliatory cyber operations between any specified states" or cyber attacks that have "a major detrimental impact on… the functioning of a state."
"The insurer shall have the burden of proving that this exclusion applies," warn the exclusion policies published by the Lloyd's Market Association.
Although the wordings in the four clauses are published as a suggestion for insurers in Lloyd's-underwritten policies and are not concrete rules, they provide a useful indicator for the direction of travel in the slow-moving cyber insurance world.
The policy clauses also raise the idea of insurance companies attributing cyber attacks to nation states in the absence of governments carrying out attribution for specific incidents, an idea that seems extremely unlikely to survive contact with reality. All four of the clauses, available as PDFs from the bulletin, contain this wording:
Pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.
Some infosec figures expressed dismay over the new clauses, with Ciaran Martin, former chief of Britain's National Cyber Security Centre, tweeting:
The document is called “War, cyber war and cyber operations exclusions”. But👇it defines ‘war’ & ‘cyber operations’ but not ‘cyber war’.— Ciaran Martin (@ciaranmartinoxf) November 28, 2021
Does para 9.2 exclude cover for any state sponsored hacking which happens all the time outside war? If so, that’s huge. Be clear about it 2/4 pic.twitter.com/eI3G35rdhz
Matt Middleton-Leal, EMEA North MD for cloud security firm Qualys, said in a statement that it wasn't all doom and gloom, though he wasn't exactly upbeat either.
"Some of the guide policies include protection for 'bystander attacks' and some do not," he said. "Bystander attacks are a risk where a specific nation state attack affects IT systems used by other companies that have the same applications or IT setups in place, and they get hit in the blast radius. While they are not the specific target they may get hit in the same way."
"Petya in 2017 is a good example of this," continued Middleton-Leal. "The attack was aimed at Ukrainian companies, but other companies around the world were affected. This new guidance from Lloyd's is a positive move and one that I think will help – even if state actors do carry out attacks specifically targeting other nation states, the impact on other businesses should not be discounted."
Cyber intrusions tend to come from nation states' spy agencies; an insurance policy which refused to pay out if, say, Russia or China broke into a company's servers to steal customer data would be of very low value in today's world. All Western businesses targeted by Russia's SVR spy agency in the SolarWinds hack, for example, would potentially see themselves left with legions of angry end users and no financial safety net to meet lawsuits and beef up their defences.
- Cyber insurance model is broken, consider banning ransomware payments, says think tank
- The cost of cyber insurance increased 32 per cent last year and shows no signs of easing
- Ransomware-hit law firm gets court order asking crooks not to publish the data they stole
- Google's VirusTotal reports that 95% of ransomware spotted targets Windows
One could also make a comparison with the Irish health service ransomware attack. Though it wasn't from a state-sponsored crew (as far as is known at the time of writing), the effects on Ireland's largely state-owned healthcare sector was disastrous.
British government policy is that cyber insurance can be used to pay off ransomware criminals, though the RUSI defence think tank suggested banning such payments earlier this year. In a research report, RUSI also found that insurers were selling policies with minimal due diligence, leading to (quelle horreur) insurance firms paying out when their clients suffered cyber attacks.
With premiums rising, it's no surprise that cyber insurance firms are tightening their belts. ®