Ride the Lightning

Lloyd’s of London Excludes Coverage for State-backed Cyber Attacks – What It Means for Customers

August 31, 2022

Dark Reading reported on August 29 that law firms and companies are re-evaluating their cyberinsurance premiums after large insurance companies have now included exclusions for catastrophic cyberattacks conducted by “state-backed” actors.

Are cyberinsurance policy still worth their very high premiums? Not everyone believes they are.

 Cyberinsurance giant Lloyd’s of London issued a notice on August 16 to its member insurers, or syndicates, requiring that they exclude coverage for state-backed cyberattacks. The motive was to protect insurance companies and their underwriters from catastrophic loss, and help manage systemic risk that could overwhelm insurers, Lloyd’s market bulletin stated.

Businesses have already seen their premiums skyrocket during the past three years. They should question whether insurance still mitigates risk effectively, says Pankaj Goyal, senior vice president of data science and cyber insurance at Safe Security, a cyber-risk analysis firm.

“Insurance works on trust, [so answer the question,] ‘will an insurance policy keep me whole when a bad event happens?’ ” he says. “Today, the answer might be ‘I don’t know.’ When customers lose trust, everyone loses, including the insurance companies.”

Cyberinsurance companies have seen profits decline sharply in the past decade, as losses jumped from 35% of the revenue from premiums five years ago, to 72% in 2020. To adapt, insurance companies have dramatically raised the cost of policies — by 74% just in 2021, after rising 22% in 2020, according to FitchRatings.

Insurance firms have also begun limiting their liability. In 2021, global insurance firm AXA decided to stop paying ransoms to cybercriminals. Over the past two years, insurance companies have added act-of-war exclusions to their policies.

In its market bulletin (PDF), Lloyd’s argued that the risk posed by cyberattacks continues to evolve and its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often excluded, Lloyd’s requires that syndicates go further and ensure that certain policies have “a suitable clause excluding liability for losses arising from any state-backed cyberattack.”

“If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage,” the Lloyds stated. “In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”

This move came after pharmaceutical firm Merck won its lawsuit against its insurers after they refused to pay its $1.4 billion in business losses sustained in the NotPetya crypto-ransomware attack in 2017. The judge in the case ruled that the insurance policies’ act-of-war exclusion did not apply, because the clause was meant to only exclude losses during armed conflicts.

 “Signs point to continued breaches and hacks, resulting in a longer claims process, and more litigations,” says Goyal. “Unless the industry can collectively fix the way cyber insurance policies are understood, written and priced, ensuring that they are based on actual data and individual organizational risk — one size does not fit all — there is no end to the challenges and mistrust in cyber insurance.”

The primary problem is that the term “state-backed cyberattack” could be a very broad exclusion, and if abused by the insurance industry, one that will damage the usefulness of cyber insurance, experts say.

Attributing an attack to a nation-state is notoriously difficult, says James Turgal, vice president of cyber-risk and strategy for Optiv, a cybersecurity consultancy.

“Even if a computer involved in the attacks was traced back to an IP address located in an Iranian or North Korean military base, that doesn’t necessarily mean that it was an attack done with the knowledge of or at the direction of the government’s authorities,” he says. “It could have been compromised by hackers in other countries [as a false-flag attempt].”

Amen to that. It can be difficult indeed to determine whether an attack is state-sponsored. I expect more litigation in those cases.

Almost two-thirds of companies — 64% — suspect that they have been either directly targeted or impacted by a nation-state attack, says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. Many of the major sources of cyberattacks against North American, European, and Asian companies come from cybercriminal groups linked in some way with China, Iran, North Korea, or Russia. Whether that link will equate to being “state-backed” is an open question.

“These companies are clearly going to be worried about whether insurers will deem most attacks to be nation-state sponsored,” he says. “As a result, we expect most businesses that are serious about security to double down on their efforts to protect themselves from hackers in the first place.”

Insurers will have to develop clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider in determining whether an attack is state-backed, he says.

The exclusion is likely to result in fewer companies relying on cyber insurance to mitigate catastrophic risk. Companies need to make sure that their cybersecurity controls and measures can mitigate the cost of any catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security firm.

Creating data redundancies, such as backups, expanding visibility of network events, using a trusted forensics firm, and training all employees in cybersecurity – all of these can help protect a business against cyberattacks and reduce damages.

The broad exclusions will likely result in delayed payouts and an increase in lawsuits if insurers refuse to pay out on a large policy.

I firmly expect that the broad exclusions will result in more litigation, not less.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson