New changes mean your Cyber Insurance policy may not be providing the cover you are expecting.

A recent market bulletin from Lloyds of London could have a profound impact on how organisations use Cyber Insurance in future. The bulletin addresses a ‘grey’ area which exists currently around threats related to nation state attacks.

I wrote an article back in 2018 related to a case where Mondalez had a claim for $10M rejected due to a clause which excluded ‘hostile or warlike action in time of peace or war” by a ‘government or sovereign power.’ Mondalez- the global snack giant, were hit by the NotPetya malware, resulting in over $100M of damages which resulted in a protracted legal battle with Zurich Insurance over how “warlike” the attack was. ?

A lot has happened in the world since 2018, but it would be difficult to argue that the world is now even more reliant on IT systems, and that the geopolitical landscape is at its most unstable point in many decades. Russia’s recent attacks have been mainly focussed on Ukraine, but there have been wider attacks such as that on Viasat which shows that Russia does not feel constrained to the borders of Ukraine in its cyber operations if it furthers their objectives on the ground. Finland, Lithuania and Estonia have recently been under attack – with responsibility for some of these being claimed by Russian hacking groups.

Lloyds are concerned that the growing scale and impact of state backed attacks could result in insured losses which are significant enough that they could impact the stability of insurance markets as a whole and so have instructed their syndicates to write robust wording into all new policies issued after March 2023.?The wording must:

1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
4. set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
5. ensure all key terms are clearly defined.

What does this mean?

While organisations may think that they are not a large enough target for foreign state actors to attack, experience shows us that its possible to get caught up in a ‘dragnet’ attack which is just aimed to cause widespread disruption. The Mondalez case mentioned earlier was an example of this - the NotPetya ransomware wasn’t targeted specifically at them but impacted them severely. Economic terrorism is increasingly likely to be a tool used by rogue nation states in the short term.

Providing attribution to attacks has always been a challenge – to the extent that hacking groups often use ‘false flags’ to try to make it look like the attack has come from another source. For example, a Russian hacking group may embed some Chinese text in the source code, to throw investigators off the scent. This creates a huge amount of uncertainty, which underwriters may use to deny claims. Point 4 is very interesting above, I’ll be watching closely to see how a robust attribution process will be created! To add even more complexity – there is often a cosy arrangement between rogue states, and hacking groups working at arm’s length under their instruction.

Ultimately, clarity in the scope of cover will be welcomed by organisations – but it will require close collaboration between the business and the cyber security team to ensure all parties understand what risks can be transferred and what residual risks remain with the organisation and may need to be addressed.

The idea that you can transfer all your risk to a cyber insurer was never realistic, and these recent changes underline the point. Many underwriters require organisations to go through a certification process, or invest in specific security controls before issuing a policy – and in reality it is the process of improving your organisation’s security maturity which adds more value than the cyber insurance itself.?