Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay

Critics unhappy about insurers excluding certain nation-state attacks from cyber policies should consider the alternative: higher prices, according to Lloyd's of London.

Based in the UK, Lloyd's is a marketplace of insurance buyers and sellers, rather than a company, and has 77 cyber risk insurers under its wing for which it sets the rules. Collectively, it has more than 200 lines of business and wrote $41.2 billion (£35.5 billion) of gross premiums last year. North America is the source of over half of its premiums.

Lloyd's chief of markets Patrick Tiernan was speaking to the Financial Times after a backlash against an August memo [PDF], penned by Lloyd's underwriting director Tony Chaudhry last month, saying the market will require all of its insurance groups to exclude any liability for losses resulting from state-backed cyberattacks from their insurance policies from March 31 2023.

Tiernan told the FT that not including these cyberwar exclusions would "drive up insurers' capital requirements" – a cost they would in turn pass on to customers.

Companies looking for risk protection against cyberattacks have complained the move limits and potentially excludes a lot of the cover they believe they've paid for, while legal experts have pointed at increasing dispute over whether or not a particular attack has state support.

Why should I care about acts of war clauses? They won't affect your auto insurance much, but they will impact cyberspace

As Lloyd's has pointed out, acts of war clauses are really "common" in insurance contracts generally. However, for the most part, there's only a very slim chance that, say, your car gets hit by a missile from another country attacking yours. Most of the time, when you buy car insurance, you are looking at insuring against damage from someone ignoring a red light.

In cybersecurity, however, an act of war exclusion is a bigger deal: there's a much more real risk of the person or people behind the attack, or the malware, being linked to all those murky groups. In addition to nations in conflict who pit their cyberteams against each other, cyberattacks could be launched by an individual or a group sympathetic to one of them, with the sort of political motivations that are quickly flagged by security researchers as state-sponsored.

As for the impact, take, for example, the situation where Russia's infamous APT 29, aka Cozy Bear, was accused by both the US and UK governments as being behind the SolarWinds Orion attack. That attack could potentially have affected up to 18,000 public and private orgs, including governments, who used the Orion network management system to manage their IT resources.

SolarWinds said in an SEC filing last year that the number was "under 100" – hardly reassuring.

Costs of doing business

Premium rates taken by Lloyd's stakeholders already rose by 10.9 percent in 2021, a year which marked a return to profitability for the marketplace, it said in its latest annual report. Meanwhile, international insurance broker Howden found last year that across the globe, cyber insurance pricing had increased by an average of 32 percent in the year before its assessment.

Tiernan told the paper the move was a way of being "responsible to our customers and acting with the market," claiming: "Very often in the past, these sort of corrections or evolutions to policy language happen post-event... after everything has gone wrong."

Lloyd's Market Association (LMA), a trade body for Lloyd's-affiliated syndicates, first started floating model clauses excluding acts of "cyberwar" for insurers and underwriters in September last year, stating in at least one of them that when it came to deciding whether a state actor was behind the cyberattack, "the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf."

At the time, Patrick Davison, the LMA's underwriting director, told The Reg that insurance companies themselves would need to prove an exclusion clause applies – that's if no government openly declared an attack was the fault of some other rogue state.

• Lloyd's to exclude certain nation-state attacks from cyber insurance policies
• Cyber insurance model is broken, consider banning ransomware payments, says think tank
• The cost of cyber insurance increased 32% last year and shows no signs of easing
• FedEx execs: We had no idea cyberattack would be so bad. Investors: Is that why you sold $40m+ of your own shares?
• Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?

• How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director

According to Lloyd's 2021 annual report, it took in £39.2 billion ($45.37 billion) in gross written premiums and took in £2.3 billion ($2.66 million) in profit before tax.

It hasn't come out of the greatest year, though – in 2020, it reported a loss before tax of £887 million ($1.02 billion), with an underwriting loss of £2.676 billion ($3.1 billion), including COVID-19 losses.

More than one cyber insurance company has claimed losses by the companies it has insured should fall under war or "hostile acts" exclusions. Pharma giant Merck recently received a $1.4 billion payout from its insurer, ACE American Insurance Company, after the Superior Court of New Jersey ruled an exclusion on damage caused by the NotPetya ransomware was "inapplicable."

The file-scrambling ransomware infected computers all over the world, hitting hospitals, courier FedEx, TNT, and others, and causing an estimated $1 billion in damages. Altogether, the UK, US, and Ukrainian governments have all attributed the attack to Russia's state-sponsored hackers.

However, in the Merck case, the court sided with the pharma giant's argument that the exclusion contained language that limited it to the use of armed force, and that "the exclusion applied only to traditional forms of warfare" involving "de jure or de facto" sovereigns – which shows why Lloyd's and other insurers are very keen to tighten up those cyberwar clauses and avoid losing these kinds of cases.

Mondelez International Inc also sued its insurer, Zurich American Insurance Company, over an act of war exclusion for the NotPetya attack. The case, currently in the circuit court for Cook County Illinois, was filed in 2018 – with the outcome pending.

We've asked Lloyd's for comment. ®