View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Lloyd’s of London cyber war exclusion rules come into effect today

Lloyd's of London's controversial clause has caused consternation for many in the insurance industry as they rush to abide by the deadline.

By Claudia Glover

A cyber war exclusion clause written by Lloyd’s of London last year comes into effect today. The controversial clause would see effects of state-backed cyberattacks excluded from cyber insurance policies. Some have claimed this is difficult to discern due to the anonymous nature of cyberattacks.

Lloyds of London office
Lloyd’s of London cyber war exemption clause deadline arrives. (Photo by Simon Vayro/Shutterstock)

The cyber war exclusion clause was announced in August of last year and recommends that standalone cybersecurity policies exclude coverage of attacks implemented by state-sponsored cybercriminals. Written by Lloyd’s underwriting director Tony Chaudhry, the clause is expected to add clarity to an unclear field that can lead to billions of pounds worth of risk.

“The requirements set out here take effect from 31 March 2023 at the inception or on renewal of each policy,” reads the bulletin. “There is no requirement to endorse existing, in-force policies, unless the expiry date is more than 12 months from 31 March 2023. Managing agents will nevertheless wish to start at an early stage to determine their approach to adopting appropriate exclusion clauses.”

In implementing the requirements Lloyd’s warned that managing agents would need to consider the terms of their reinsurance programmes, to ensure they provide appropriate, back-to-back cover.

A controversial ruling

The deadline was met with worry as insurers rushed to ensure their policies were in line with the Lloyd’s of London suggestions, said Sarah Stephens, head of international cyber at insurance broker Marsh, to the Financial Times.

“Where we feel the mandate has caused undue pressure by not allowing enough time for the commercial market to come up with solutions,” she said, causing insurers to feel “handcuffed” by the tight time frame.

Others have expressed that since the ability to discern the perpetrators of an attack can be an imprecise science, Lloyd’s of London could be lending too much leeway to the exclusion clause. 

Josephine Wolff, an associate professor of cybersecurity policy at Tufts University’s Fletcher School of Law and Diplomacy, said to the Record in a report that much will likely depend on how attribution for attacks is determined. “I think overall, this bulletin comes pretty close to equating state-backed cyberattacks with acts of cyber war… and that is a substantial shift in policy that I think suggests insurers may be moving towards trying not to cover these types of (very common!) attacks.”

Content from our partners
Five key challenges facing the fashion industry
<strong>How to get the best of both worlds in the hybrid cloud</strong>
The key to good corporate cybersecurity is defence in depth

Practically, however, some have suggested that these exclusions will serve to exclude global events such as the NotPetya hack. Craig Dunn, the head of Cyber M&A Insurance EMEA for Aon, told The Record. “Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast majority of insurers are adopting variants where the intention is to only exclude nation-state attacks that form part of an armed conflict or impact the underlying functioning of a state,” he said.

The impact of NotPetya

It was the legal fallout of the NotPetya attack of 2017 that shook the insurance world. A state-backed attack masquerading as ransomware originating in Ukraine, the malware caused more than $10bn worth of damage globally. 

Two global legal battles arose from the attacks, each claiming that they should be covered for the billions in losses. The pharmaceutical company Merck won a lawsuit last year after its insurer, Ace American, declined to cover approximately $1.4bn in losses from the NotPetya attack. In denying the claim, the company unsuccessfully cited a “war exclusion,” claiming it should not be liable for covering the 2017 wiper attack because it was linked to Russian conflict with Ukraine. 

Despite the win, this ruling led many in the insurance industry to scale back coverage to leverage liability.

Mondelez International and Zurich American Insurance reached a settlement in November of last year in their multi-year legal battle over the food company’s $100m claim, regarding damage from the same NotPetya cyberattack.

Read more: Here are the cloud security errors you should avoid

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU