View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 20, 2023updated 21 Apr 2023 8:05am

Bank of America concerned by Lloyd’s cyber war insurance exemption clauses

Changes which exclude large scale cyberattacks from insurance policies are proving controversial among at-risk businesses.

By Claudia Glover

The Bank of America (BoA) has reportedly raised concerns over cyber war exemption clauses for insurers written by Lloyd’s of London that came into effect last month. But US businesses like the bank could get an additional safety net in the form of a federal “backstop” which would cover the losses sustained by businesses in large-scale cybersecurity incidents.

The BoA has raised concerns with Lloyd’s of London over cyber exemption clauses. (Photo by Hrach Hovhannisyan/Shutterstock)

The BoA, one of the ‘Big Four’ US financial institutions, expressed unease at the exemption clauses during several meetings with Lloyd’s, according to a report in the FT. The new clauses mean the impact of state-backed cyberattacks are excluded from cyber insurance policies.

Why cyber war exemption clauses in insurance are controversial

The threat of large scale attacks to the private sector has been exacerbated by the Ukraine war and is getting larger by the week, the UK’s National Cybersecurity Centre said yesterday. A new class of cybercriminal has emerged that is aligned with the Russian state and seeks to incite chaos as well as implement financially motivated attacks.

The line between state-sponsored attacks and financially-motivated cyberattacks is blurred and companies find themselves at risk of major losses if they are hit. The loss of insurance cover provides a further anxiety for businesses such as the BoA.

However, the insurance industry argues the potential losses it could sustain by covering large-scale cyberattacks is so great that premiums would have to be astronomically high to sufficiently cover businesses. Andrea Rebora, cybersecurity associate at PwC told Tech Monitor last year: “They don’t have enough money for everyone. The amount of money necessary to cover the potential clients is too great. It’s an absurd amount of money.”

Paul Benda, senior vice-president for operational risk and cybersecurity at the American Bankers Association, said that such changes may cause ripples through US financial regulation. “The US banking industry takes its commitment to cybersecurity very seriously,” he told the FT. “[That] includes a layered approach to managing operational risks, and cyber-risk insurance is one of those layers. Any changes in those protections [are] understandably a cause for concern.”

US government could introduce a federal cyber backstop

An alternative safety net, which does not lean so heavily on the insurance industry has been suggested in the US recently published National Cybersecurity Strategy. The  document suggests the exploration of a federal cyber insurance backstop. “In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilise the economy and aid recovery,” it explains.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

Responses to this suggestion, gathered by the US Federal Insurance Office at the end of March, are favourable. It was suggested the US government could “create a new structure loosely modelled on, but separate from, the Terrorism Risk Insurance Act (TRIA) and the Terrorism Risk Insurance Program (TRIP),” but dedicated to addressing catastrophic cyber risk, rather than the fall-out from a large scale terrorist attack. 

This is similar to that proposed by insurance industry body Pool Re and the UK government earlier this year. Insurance industry leaders reportedly held talks with the Treasury in January to discuss whether Pool Re’s terrorism reinsurance scheme might be tweaked to cover large-scale cyberattacks. The Treasury has yet to take a public position on the matter.

Read more: Here are all the cloud security mistakes your business should avoid

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.