War Exclusions in Cyber Liability Policies: What Does it Mean for You?

War Exclusions in Cyber Liability Policies

To begin, it is important to remember that excluding war is nothing new, as Lloyd’s has had a war exclusion since World War II. What makes this exclusion different for cyber policies is that there is a grey area between nation state actors and petty criminals. Furthermore, governments rarely claim responsibility for a cyber-attack. The war exclusion is an attempt by the insurance industry to grapple with this grey area.

It is also important to understand the motivation behind the exclusion. Insurers, including Lloyd’s syndicates, typically purchase insurance for the insurance they sell. This is called reinsurance. Every year, insurers must placate their reinsurers in order to have the financial backing to continue to do business.

Reinsurers are increasingly becoming concerned with systematic risk in the cyber insurance marketplace. For example, if Amazon Web Services went down for an extended period of time, there would be catastrophic dependent business interruption losses, and the insurance industry may not have enough capacity to pay all the losses. Reinsurers have the same concerns with nation-sponsored cyber attacks. In fact, the Lloyd’s bulletin specifically mentions systematic risk. Furthermore, the syndicates are only required to exclude state backed cyber-attacks that significantly impair the ability of a state to function, or that significantly impair the security capabilities of a state.

The new exclusion appears to simply be a way for the Lloyd’s syndicates to placate their reinsurers, so business can continue as normal. As shown by the NotPetya attack on Merck, the burden of proof is on the insurer to prove that that a cyber-attack was nation-sponsored.