As discussed in a previous post, cyber insurance demand and premiums have significantly increased in recent years. Fitch Ratings forecasts that cyber-related premiums could balloon to $22.5 billion by 2025. Those increases presumably reflect considerable claims activity, including in connection with liabilities arising from war and state-backed cyberattacks. To manage these exposures, insurers in the cyber market are increasingly relying on changes to their policies that attempt to carve out some or all of this liability from coverage. A recent example of this trend, which may significantly alter the cyber insurance landscape, is playing out right now in the London Market.
In August 2022, the Lloyd’s Market Association (LMA) issued Market Bulletin Y5381, which focused on cyberattack losses in circumstances where “losses arise from attacks sponsored by sovereign states.” Pursuant to this Bulletin, the LMA now requires all insurers that sell standalone cyberattack policies operating in the London market exclude coverage for specific losses related to state-backed cyberattacks and include new exclusions that address cyberattack losses outside the traditional “acts of war” exclusions. Specifically, the Bulletin states that any state-backed cyberattack exclusion must:
- exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
- exclude losses arising from state-backed cyberattacks that:
- significantly impair the ability of a state to function, or
- significantly impair the security capabilities of a state.
- be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyberattack.
- set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
- ensure all key terms are clearly defined.
Based on the LMA’s guidance, insurers must implement these requirements for all policies covering cyberattacks, including renewal policies, with a policy period beginning on or after March 31, 2023.
The LMA also published eight model clauses for guidance, consisting of four A and four B versions of each exclusion. The “A” versions meet the requirements of Market Bulletin Y5381 in relation to stand-alone cyberattack policies. The “B” versions do not address the attribution requirements in Item 4 above and are therefore not compliant without prior agreement from Lloyd’s. Insurers do not need to include these provisions verbatim, but are free to use different language to meet the established requirements so long as the language is vetted by their counsel and approved by their underwriters.
Although the LMA suggests that its new requirement for exclusions provides clarity for standalone cyberattack policies, the model language has a number of issues. As an example, it is often difficult to ascertain the identity of the actors behind a cyberattack, creating significant difficulties with the attribution language the LMA now requires in policies. Not only do nation-states engage in cyberattacks, perpetrators often include private individuals and entities, which can make attribution difficult. In some instances, private individuals may act with explicit or implicit governmental approbation. Policyholders should be mindful of policy language that expansively excludes cyber warfare engaged in or sponsored by nation-states. Without clearly worded exclusionary language, insureds may believe that they are generally covered for cyberattacks, only to find that their insurers apply policy exclusions to broadly preclude coverage for losses arising from attacks sponsored by sovereign states.
The LMA’s model cyber exclusion clauses approach attribution by relying on the determination of the government of the state affected. In determining attribution of a cyberattack, the insured and insurer will consider such “objectively reasonable” evidence that is available to them. However, various challenges may obscure attribution, including misinformation or even plausible deniability of state-sponsored cyberattacks. The attribution process takes time, possibly weeks to months, and policyholders could face uncertainty before attribution is determined, if at all.
Future developments are expected and the extent to which other insurers will follow the LMA on these issues remains to be seen. While some insurance providers may refrain from adding additional exclusionary language, others may develop their own, alternately worded provisions.
Placing cyber insurance coverage is key to protecting against the potentially devastating impacts of a cyberattack. Often, policyholders do not know what their insurance policy covers until they experience a cyberattack that causes significant loss. Policyholders should work with experienced counsel to evaluate coverage when purchasing policies and assess how specific provisions may have changed their rights based on these recent developments.