In a recent market bulletin, Lloyd’s, the oldest insurance and reinsurance marketplace in the world, has set out requirements for state-backed cyber-attack exclusions in standalone cyber-attack policies.
In the report, the market affirmed that they remain strongly supportive of the writing of cyber-attack cover but recognise that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.
The critical dependency that societies have on their IT infrastructure, including operating physical assets, means that losses have the potential to greatly exceed what the insurance market can absorb.
It is for this reason, Lloyd’s states, that they have consistently emphasised that underwriters need to be clear in their wordings as to the cover they are providing.
Exposure to cyber-attack losses has been an area of market focus in circumstances where the losses arise from attacks sponsored by sovereign states.
When writing cyber-attack risks, underwriters need to consider the possibility that state-backed attacks may occur outside of a war involving physical force, says the marketplace.
The report suggests that the damage that these attacks can cause and their ability to spread create a similar systemic risk to insurers.
The market recognises that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state-backed cyber-attacks.
However, they wish to ensure that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings.
The report notes that complexities can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks, and so underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.
Lloyd’s says it is important that they have the confidence that syndicates are managing their exposure liabilities from war and state-backed cyber-attacks. Robust wordings also provide the parties with clarity of cover, which means that risks can be properly priced and reduces the risk of disputes.
Therefore, Lloyd’s requires that all standalone cyber-attack policies falling within risk codes CY and CZ must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state-backed cyber-attack in accordance with the requirements.
This clause must be in addition to any war exclusion (which can form part of the same clause or be separate from it). At a minimum, the state-backed cyber-attack exclusion must:
Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
Exclude losses arising from state-backed cyber-attacks that significantly impair the ability of a state to function or significantly impair the security capabilities of a state.
Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined.
Set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states and ensure that all key terms are clearly defined.
The requirements set out here take effect from 31 March 2023 at the inception or on the renewal of each policy, says Lloyd’s.
In implementing the requirements set out above, the market requires managing agents to have regard to the terms of their reinsurance programmes, to ensure they provide appropriate, back-to-back cover.