No cyber insurance for state attacks is 'responsible' - Lloyd's of London

Lloyd's of London says cyber insurance is "in its infancy"

Image:
Lloyd's of London says cyber insurance is "in its infancy"

Lloyd's of London has said it will no longer pay out in the case of state-backed attacks.

Lloyd's of London has defended its decision to stop providing insurance coverage for state-backed cyber attacks.

Patrick Tiernan, Lloyd's chief of markets, told the Financial Times the company was acting responsibly by adopting a cautious approach while developing a product "in its infancy," which still has relatively low worldwide penetration.

"Very often in the past, these sort of corrections or evolutions to policy language happen post-event . . . after everything has gone wrong.

"I think this is Lloyd's being responsible to our customers and acting with the market."

An alternative to stopping coverage for state-backed cyber attacks would be to raise the capital requirements for insurers, but Tiernan pointed out that this would lead to higher premiums.

Lloyd's of London released a market bulletin last month outlining new guidelines for stand-alone cyber attack insurance plans that would exclude coverage for damages caused by state-sponsored attacks.

'Lloyd's remains strongly supportive of the writing of cyber-attack cover[age] but recognises also that cyber related business continues to be an evolving riskā€¦[and] that losses have the potential to greatly exceed what the insurance market is able to absorb,' the guidance said.

The new provisions are slated to go into force from 31st March 2023, when a policy is first issued or is renewed.

The company said it consistently highlights the need for underwriters to be clear in their wordings about the coverage they are offering, with clarity about cyber attacks by state-backed actors being of particular significance.

'When writing cyberattack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers,' it added.

Cyber stakeholders oppose the move

Cyber security experts have warned against stopping coverage for state-backed attacks. They said the move would lead to legal disputes to determine whether certain attacks were launched with state support, and would further restrict insurance cover that is crucial to enterprises.

The move could leave "ambiguity as to whether coverage is afforded for certain cyber attacks that would otherwise be covered," said Cindy Jordano, a partner at the law firm Cohen Ziffer Frenchman & McKenna.

The exclusions could lead to significant litigation, she warned.

In an FT opinion piece last week, Josephine Wolff, a professor at Tufts University, cautioned that because state-sponsored cyber attacks are now so common, businesses may stop purchasing insurance policies all together if insurers refused to cover state-backed attacks - especially while governments continue to strengthen their cyber capabilities.

There are also concerns that businesses choosing not to buy cyber-insurance may end up adopting lower security measures to safeguard their own networks and data, since they will no longer be required to satisfy their insurers' criteria.

Only half of firms insured against cyber attacks

Last month, an analysis from Blackberry and Cyber MGA Corvus warned of a widening 'cyber insurance gap' in North America.

A survey of 450 IT leaders at companies in the USA and Canada found that a majority of firms are either uninsured or underinsured against ransomware attacks.

Only 55% of survey respondents claimed to have cyber insurance.

Cost is a key consideration when choosing cyber insurance. More than half (57%) of respondents said the current cost of premiums is a challenge, as is insurance firms' lack of transparency over what is covered (49%).

For example, many no longer cover payments made to ransomware attackers.

Insurance brokers' increasing software demands have also made it more difficult to get cyber insurance, the study found.