Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks

The insurer won’t pay for ‘acts of cyber-war’ or nation-state retaliation attacks.   

Fallout from nation-state sponsored cyberattacks will no longer be covered under cyber-insurance policies issued by famed insurer Lloyd’s of London.

The insurance juggernaut’s underwriting director Patrick Davidson just released four new Cyber War and Cyber Operation Exclusion Clauses, outlining the new terms.

The company explained it will no longer cover losses resulting from “cyber-war,” which it defined as a cyber-operation carried out as part of a war, any retaliatory attacks between specified states, or a cyber-operation “that has a major detrimental impact on the functioning of a state.”

Infosec Insiders Newsletter

Countries specified in the exemption language are China, France, Japan, Russia, the U.K. and the U.S.

The insurer’s new definition of cyber-war leaves plenty of latitude for the insurer to refuse to pay.

Under the Lloyd’s of London explanation, they can also refuse to pay on nation-state-sponsored attacks on services essential for a state to function, like financial institutions, financial market infrastructure, health services and utilities, according to the exclusion documents.

“In discussion with Lloyd’s it has been agreed that, in respect of standalone cyber-insurance policies, these clauses meet the requirements set out in the Performance Management — Supplemental Requirements & Guidance (July 2020) which state that all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war,” Davidson said.

Further, the attack doesn’t need official attribution to be excluded from the cyber-insurance policy. The exclusion documents outlined that pending any government attribution, the insurer can decide through “inference which is objectively reasonable” to attribute cyberattacks to state activities.

It added that it can also decide whether the attack is exempt from coverage without government attribution in the event the decision takes “an unreasonable amount of time, does not, or is unable to attribute the cyber-operation to another state or those acting on its behalf.”

This narrowing of coverage is in response to evolving threats, increased risk and a 95-percent increase in demand during the third quarter, according to Chris Reese, head of insurance at Cowbell Cyber.

“Cyber-coverage delivers financial protection and incident-response expertise to assist businesses in returning to normal operations after an incident,” she told Threatpost. “In parallel, cyber-insurance is in transition. Insurers need to overhaul their underwriting strategies to account for the unique nature of cyber-risk – evolving threats, rapidly expanding exposures because of digitization, complexity of IT infrastructure – to avoid any disconnect with the risk they commit to cover. Technology, data and automation have become core to modern underwriting for cyber.”

Debates over the best response to an attack generally include a close look at the calculus of relying on cyber-insurance to just pay up for a ransomware hit so the company can move on to recovery, but if insurers continue to narrow their scope of coverage, that investment could shift.

In fact, researchers from Fox-IT, part of NCC group, just released data that showed whether a company carries cyberinsurance or not, attackers have already calculated how much a company can afford to pay in ransom, potentially attracting them to organizations with policies to achieve higher payouts.

“The results show that the adversaries operating behind the dataset we collected knew how much ransom a victim is willing to pay before the negotiation had started,” the Fox-IT analysts explained.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!


Suggested articles