War Exclusions in Cyber Liability Policies: What Does it Mean for You?
Beginning in 2023, Lloyd’s of London, the largest insurance marketplace in the world, will require its syndicates to exclude war – and state-backed cyber-attacks from cyber liability policies. The question is, what does this mean for policyholder?
War Exclusions in Cyber Liability Policies
To begin, it is important to remember that excluding war is nothing new, as Lloyd’s has had a war exclusion since World War II. What makes this exclusion different for cyber policies is that there is a grey area between nation state actors and petty criminals. Furthermore, governments rarely claim responsibility for a cyber-attack. The war exclusion is an attempt by the insurance industry to grapple with this grey area.
It is also important to understand the motivation behind the exclusion. Insurers, including Lloyd’s syndicates, typically purchase insurance for the insurance they sell. This is called reinsurance. Every year, insurers must placate their reinsurers in order to have the financial backing to continue to do business.
Reinsurers are increasingly becoming concerned with systematic risk in the cyber insurance marketplace. For example, if Amazon Web Services went down for an extended period of time, there would be catastrophic dependent business interruption losses, and the insurance industry may not have enough capacity to pay all the losses. Reinsurers have the same concerns with nation-sponsored cyber attacks. In fact, the Lloyd’s bulletin specifically mentions systematic risk. Furthermore, the syndicates are only required to exclude state backed cyber-attacks that significantly impair the ability of a state to function, or that significantly impair the security capabilities of a state.
The new exclusion appears to simply be a way for the Lloyd’s syndicates to placate their reinsurers, so business can continue as normal. As shown by the NotPetya attack on Merck, the burden of proof is on the insurer to prove that that a cyber-attack was nation-sponsored.
Key Takeaways
- Lloyds syndicates are only required to exclude acts of war and systemic state backed cyber-attacks
- The burden of proof is on the insurer
- M3 recommends that you work with your account executive to review the exclusion language on your policy to ensure that the exclusion is not broader than Lloyd’s is requiring