Lloyds extends cyberwar risk exclusions to state-backed cyber-attacks

With effect from 31 March 2023 at the inception or on renewal of each policy Lloyds requires from its syndicates that all standalone cyber-attack policies?must include a clause excluding liability for losses arising from any state-backed cyber-attack. This we could read in their latest market bulletin (Y5381, dd. 16/08/2022).

State-backed attacks can occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread create a similar systemic risk to insurers. The potential for systemic risk arising from such cyberattacks is too great for individual syndicates and the insurance market as a whole to bear. Therefore, according to Lloyds, the risk must be excluded.

The market bulletin sets out the minimum requirements for the state-backed cyber-attack exclusion. The exclusion must:

1. exclude losses arising from war (whether declared or not), where the policy does not have a separate war exclusion.

2. (subject to 3) exclude losses arising from state-backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.

3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyber-attack.

4. set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.

5. ensure all key terms are clearly defined.?

The LMA has already worked extensively on drafting such model clauses which are accepted by Lloyds.

In case of any question related to cyber insurance, please reach out to us.

The Orbis Risk Partners team