You need to improve your Network Security Today

Lloyd’s of London Ltd. will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year.

Lloyd’s is a marketplace where roughly 75 syndicates of underwriters congregate to provide insurance coverage for businesses, organizations and individuals. As of March 31, when coverage begins or is renewed, syndicates must exclude state-backed cyberattacks from policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said in a bulletin dated Aug. 16.

The move is designed to make sure insurers are clearly stating what they will and won’t cover, as the ability of state-backed hacks to spread and cause damage could cause systemic risk in the insurance market, the notice said.

At a minimum, Mr. Chaudhry said, policies must contain clauses that exclude losses arising from a war, declared or otherwise, where the policy doesn’t have a separate war exclusion. They must also exclude losses where a state-backed attack has a catastrophic effect on the target nation and impairs its ability to function. There must also be a robust process by which parties decide attribution for attacks, according to the notice.

“Cyber remains a priority area for Lloyd’s,” a company representative said. “The advisory guidance provided last week, following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires.”

If you are would like to schedule a a review of your Cyber Security, you can do this on this page or call us on 281-647-9977



While exclusions for openly declared war are relatively straightforward, determining attribution for a nation-backed cyberattack is fraught with difficulty. For instance, drawing a line between when a criminal group is simply acting in support of a nation, or actually operating as a state agent, is a challenge, U.S. officials have previously said. Brokers said that determining the degree of damage caused by an attack, which would trigger the exclusions, is similarly tough.

“For most market participants, it’s not so much about nation-state activity as it is about when that level of activity rises to a degree of catastrophe in financial terms,” said Gregory Eskins, U.S. and Canada cyber product leader at the Marsh brokerage unit of Marsh & McLennan Cos. “That’s something we’re all wrestling with.”

Insurers have been exploring ways to tighten the language in their policies, particularly after a New Jersey judge last year ruled in favor of Merck & Co. deciding it was entitled to payouts from its insurers after a 2017 cyberattack. Merck had been affected by the NotPetya virus, which it said ultimately cost $1.4 billion to recover from. The company’s property and casualty insurers initially denied the claims on the basis of war exclusions. In that case, the judge said Merck couldn’t reasonably be expected to know that war exclusions would apply to such an event, essentially declaring that a common acts-of-war exclusion doesn’t cover cyberattacks.

Part of the reason why insurers are increasingly leery of covering state-backed cyberattacks is the vast economic damage they can cause. Packaged-food company Mondelez International Inc., which was also a victim of NotPetya, claimed $100 million in damages related to the attack, while Britain’s National Health Service said the WannaCry virus cost it over $100 million. The U.S. government has formally attributed NotPetya to Russia and WannaCry to North Korea. Both nations deny involvement.

Cyber insurance, which has become an increasingly important market due to a proliferation of attacks in recent years targeting companies of all sizes, has been going through a period of readjustment in recent months, as carriers better understand how to model and price the risk they are covering.

The new Lloyd’s requirements represent an “evolution” in how the insurance industry is approaching cyber, said Thomas Reagan, U.S. and Canada cyber practice leader at Marsh, but the new stipulations also introduce difficulties.

“As with all these things to some extent, it’s two steps forward and one step back,” Mr. Reagan said. While the bulletin establishes some certainty and clarity around what Lloyd’s expects, he said, it also creates uncertainties for policyholders, such as how to attribute a given cyberattack.

War exclusions in particular have been a topic of fierce debate within the cyber-insurance industry for years, but Russia’s invasion of Ukraine in February reignited concerns that a significant cyberattack, such as one that takes down critical infrastructure, could result in catastrophic losses for insurers. The relative youth of the cyber-insurance market means there is a lack of standardization around terms and exclusion clauses, ratings firm Moody’s Investors Service Inc., a unit of Moody’s Corp., said in a June note.

“In U.S. litigation, insurers must generally demonstrate that an exclusion within an insurance policy applies to the case. This puts the burden of proof on the insurers in the case of the war exclusion,” Moody’s analysts said in the note. Moody’s declined to comment on the Lloyd’s bulletin.