Whilst there have been no cyber attacks of comparable scale since the invasion of Ukraine, the scope of cyber insurance, and the war exclusions issue specifically, has taken centre stage as carriers look to clarify their positions on cyber warfare and buyers seek reassurance that existing levels of protection will be maintained.
Inconsistent terms and language across cyber (re)insurance policies – and their enforceability in relation to attribution especially but also the circumstances and context of each attack – were concerns that pre-dated the war in Ukraine, and have taken on more weight as the conflict continues and geopolitical tensions escalate elsewhere.
Much has happened on this front over the last 12 months, with a lot of noise around Lloyd’s of London war exclusions that came into effect at the end of 1Q2023.
The Q&A overleaf with Howden experts breaks down the key points and what it means for buyers and markets. The introduction of new war exclusions by Lloyd’s has been the source of considerable discussion and concern.
Howden’s Sarah Neild (Head of Cyber Retail) and Dan Leahy (Associate Director) suggest that the new wordings bring much needed clarity.
Why have new cyber war exclusions been introduced by Lloyd’s?
There have been long-held concerns across the insurance market about the applicability of traditional war exclusions to large-scale cyber incidents, particularly state-sponsored attacks. Traditional exclusions are designed for property-related policies, where cause (physical war) and attribution (state(s) or group(s) involved) can be more easily established than is the case for cyber (see Global Cyber Warfare Risks Increases Insurance Market Losses).
The scope of traditional exclusions is also broad, covering risks such as ‘insurrection, hostilities and acts of foreign enemies’, typically with no requirement for war to be declared.
Equally important for cyber, most do not specify that excluded acts must be ‘physical’ and the potential for cross-border consequences (a real risk associated with cyber warfare) is not addressed (see How Insurers Can Expand the Cyber Insurance Market?).
Whilst a carveback for ‘cyber terrorism’ worked its way into many traditional war exclusions, the language is often broader than its originally intended scope, leaving another area for dispute on untested language.
In these discussions, it is important to remember that there are war exclusions in all cyber policies (like most lines of insurance) that are untested and were not originally drafted with cyber risks in mind.
The desire to develop new language therefore stems from the need for something more suitable, with defined parameters and thresholds more appropriate for cyber. Getting this right is crucial to the relevance and sustainability of the market.
What the new exclusions do (and do not) cover?
Following teething problems early in the process (with multiple new clauses in circulation offering varying degrees of complexity and a lack of uniformity around their application), Lloyd’s and the broking community have landed on something more workable (in the form of LMA5567A/B).
Despite some reporting to the contrary, these exclusions do not exclude all state attacks. Coverage will remain for all but the most catastrophic of events, even if undertaken or supported by state actors.
Under the standard wording, losses will not be covered if they:
- 1) arise directly or indirectly from a physical war, and / or
- 2) arise from a cyber attack that is carried out as part of a physical war, and / or
- 3) arise from a state-sponsored cyber attack that causes a major detrimental impact to the essential services required for the functioning of a sovereign state.
How do compare to traditional war exclusions?
What the exclusions seek to do is provide a framework designed for cyber’s unique risk profile and offer clients more certainty around the parameters of cover (in other words, what is insurable and what exceeds the threshold of insurability).
One key addition to the new war exclusion is a carveback for point #3, that reinstates cover should any collateral damage occur to assets in countries that have not been targeted directly.
So if an incident spreads outside of the target country, within a global network, only losses arising from the local outage would be excluded, not the broader cross-border losses. This level of clarity and scope of cover does not exist in traditional war exclusions.
Detail around definitions adds to the differentiation from traditional exclusions. War is clarified as being ‘armed conflict involving physical force’ whilst the ‘major detrimental impact’ clause introduces an impact threshold that means the exclusion should only come into force when a country’s ability to function is jeopardised.
Essential services, including financial institutions and associated financial market infrastructure, health services or utility services, would need to be significantly impacted for this to happen.
The threshold has an intentionally high bar: an attack on a number of banks, energy suppliers or similar would not trigger the exclusion unless it is of such scale that it disrupts the availability or delivery of services to the country as a whole.
Cyber insurers have confirmed that they do not consider any attack to date (including NotPetya) would be of sufficient scale to trigger the exclusion (see Global Insurance Ranking of Cyber Insurers by Premiums).
Do the exclusions deal with the attribution issue?
Proving attribution in cyber attacks remains a controversial topic and much of clients’ concerns from the outset have centred on this issue. Some progress has been made, however.
Original language that allowed insurers to rely on certain governmental statements and other sources attributing responsibility has been watered down or removed entirely.
LMA5567A reiterates that the burden of proof is on insurers, and allows both parties to ‘consider’ (not rely on, or be bound by) objectively reasonable evidence. This goes no further than is already the case in any dispute resolution mechanism.
LMA5567B, meanwhile, removes attribution language entirely, although insurers require Lloyd’s agreement to use this, with evidence of a satisfactory dispute resolution process that contemplates the application or misapplication of war exclusions.
The new exclusions are a positive or negative development?
It has been a long road getting to this point, during which time we have fought hard against some of the more restrictive language in earlier clauses.
The rollout process has been difficult and has not shown the cyber insurance market in the best light. More positively, the clauses are now designed explicitly for cyber risks, providing increased clarity in a number of areas.
This was a discussion that needed to take place, and whilst we expect developments to continue, it is a useful starting point.
Participants have also taken a crucial step in delivering a sustainable market. War exclusions are standard in nearly all other insurance products and the insurance market simply does not have the capital base for the potential aggregations associated with cyber warfare.
The process of defining the limits of cover specific to cyber acts of war, whilst ensuring that they remain limited in remit and scope, is therefore needed to fulfil the full potential of the market and, more broadly, to secure the relevance of insurance for the long term.
This is not to say further refinements cannot be made, particularly around clearly defined impact thresholds.
We expect increased uniformity as the year progresses, as large reinsurers impose similar exclusions at remaining renewals this year and from 1 January 2024, which will help the divergence of language issue for larger insurance programmes, with multiple participating insurers. We remain committed to advocating for clients as the market adapts to what is a fluid and highly charged threat environment.