New exclusions clarify what constitutes uninsurable risk in cyber attacks

“There’s been a lot of confusion and concern about new war clauses on cyber policies; while exclusions are never a cause for celebration, adding clarity to coverage can be. Long a murky topic, these changes may usher in a new understanding of the line between insurable and uninsurable risk in the current cyber market”

The line between insurable and uninsurable risk where conflict between sovereign states involves cyber-attacks has long been difficult to discern.  An important element of cyber coverage has been the agnostic approach to threat actors (including state sponsored/executed attacks), but combined with the war and terrorism exclusions in policies, questions remain as to when a cyber-attack becomes an act of war, and thereby uninsurable.  The recent War and Cyber Operation Exclusions introduced by the Lloyd’s Market Association (LMA) have been designed (with best intention) to better insulate the cyber market from specific systemic risk emanating from the use of cyber-attacks in the course of war/conflict.  War exclusions are commonplace in existing cyber policies (and have been for numerous years), but certain coverage conditions (i.e. carve backs for Cyber Terrorism) have long caused uncertainty as to what is an acceptable level of risk/impact the market can bear where there is far-reaching impact for state-sponsored cyber-attacks.

The LMA has introduced four versions of the War and Cyber Operations (LMA5564 – LMA5567) which will be mandated across any cyber policies written by a Lloyd’s syndicate from Apr 1 2023.  As should be expected with any new clause, there are various iterations in the market to further clarify position and ensure the language is fit for purpose (both for carriers and insureds alike) – but, there are common provisions across all versions for uniformity in position:

1.       War (whether declared or not) is excluded from coverage – this is a continuation of the existing coverage position: war is not an insurable risk in the cyber market.

2.       Exclude state-sponsored cyber-attacks that significantly impair (1) ability of state to function or (2) security capabilities of state (“impacted state”) – arguably, this is the delineation that has been missing in the cyber market; a more definitive response to “what constitutes uninsurable risk that may or may not be considered war?

3.       Clarity regarding coverage for computer systems located outside of an impacted state – serves to limit the exclusion to that which has been deemed uninsurable by virtue of the “war threshold” established above.  This provision is an important recognition that there may be other impacted organisations that exist outside of the intended targeted state.

4.       Robust basis for attribution agreement regarding state-backed cyber-attacks – This is a significant change to the functionality of cyber policies – up to now, the policies have been agnostic as to threat actor with coverage attaching whether the threat actor was state-sponsored or not, though it is important to note this position in the context of the war exclusion remained largely untested and confusing.  Attribution as an explicit coverage determinate is a new position and again seeks to create a clearer position on what constitutes uninsurable risk that may or may not be considered war.

It is important to note (1) this directive applies only to Lloyd’s of London Syndicates and (2) while markets must adhere to the provisions above (1-4), there is still flexibility for risk appetite and differentiation (for instance, allowing coverage for assets outside of the impacted state).  Though the directive does not extend to the full cyber market, it is a clear indication of the direction the market is moving and similar clauses should be expected in the broader marketplace.

As these clauses are the first iteration (and yet untested), challenges to the applicability of the exclusion in any given circumstance are very likely to occur. One such likely challenge will be proving attribution – attribution (and acceptance) can be very difficult and absolute certainty in attribution may not be feasible (especially based on public information that can be used as evidence).

While these terms may appear daunting, the goal is to provide additional clarity of coverage in a world that is increasingly reliant on technology.

McGill and Partners has been working closely with clients to help guide them through this first step  in what is likely to be a long road of policy language development, helping to provide more certainty of coverage where the exclusion is involved, ensuring cover under their programs is as broad as possible in the current market.

In a world that is increasingly more reliant on tech it can be hard to decipher whether a policy offer you the coverage you need. McGill and partners works closely with clients to help guide them through what is likely to be a long road of policy language development to ensure the coverage you need is the coverage you get, whether the exclusion is involved or not.