Analysis: With clarifications on war exclusions, Lloyd’s sets direction for market
Wars have traditionally been seen as outside the realm of insurance. The hard part, in the modern world, is defining what counts as a war.
Lloyd's sought to set expectations last month with a bulletin that requires cyber insurance policies to exclude losses arising not just from war as it's traditionally understood but also from any state-backed cyber attacks that "significantly impair the ability of a state to function".
From Lloyd’s perspective, the corporation will be satisfied if carriers adopt the sample war exclusions published last November by the Lloyd’s Market Association, a body representing Lloyd's underwriters.
"If not managed properly [cyber cover] has the potential to expose the market to systemic risks that syndicates could struggle to manage," Lloyd’s noted. "Losses have the potential to greatly exceed what the insurance market is able to absorb."
It's no surprise that the market is getting antsy about state-sponsored aggression at the moment.
State-backed cyber terror has the potential to cause chaos beyond anything that financially-motivated crooks even aspire to. Ransomware victims can at least pay their way out.
In contrast so-called wiperware, like the infamous NotPetya attack that hit Ukraine in 2017, simply renders a computer unusable - although attackers are not above throwing in a spurious ransom demand for good measure.
Since Russia invaded Ukraine in February, there has been an unexpected drop in cyber attacks outside those two countries. Like so much in the shadowy world of cyber crime, the reasons are obscure, but it seems a good bet that racketeers in Russia and Ukraine - two of the world's great hacking superpowers - have turned on each other.
The Conti group, one of the most notorious ransomware gangs of recent years, trumpeted its support for Russia at the outset of the war, but was promptly humiliated by a series of leaks from a disgruntled member. The cache of highly confidential messages and ransomware source code - accompanied by slogans like "Glory for Ukraine!" - offered a rare insight into the world of online stick-up artists.
Although the details are sketchy, references to Liteyny Avenue in St Petersburg, local headquarters of the Russian security service or FSB, strongly suggest Conti had at the very least a nodding acquaintance with Russian spies.
Conti has since 'retired its brand', but cyber gurus are bracing themselves for the risk a new wave of Russian-backed attacks.
"State activity will get worse, primarily because we're not likely to see the Ukraine war come to a close in the next year," says William Altman, Principal Cybersecurity Consultant at CyberCube, a firm that specialises in modelling cyber risk. "And as Russia becomes more desperate to gain ground in that war effort, they're going to continue to lash out against the governments that are supporting Ukraine."
The statement from Lloyd's is an acknowledgement that cyber has effectively become a 'fifth domain' of modern warfare (the others being land, sea, air and space). It makes no difference to existing cover, but requires the exclusions to be built into all policies signed or renewed from March 31 next year (although it does leave open the possibility of exceptions specifically agreed by Lloyd's).
More than anything, the bulletin is all about clarity. Apart from excluding wartime losses, underwriters and their customers must set out how they will actually decide whether a cyber attack is attributed to one or more states.
Graeme Newman, chief executive of CFC Underwriting, told CyberInsurer.com that if attribution is difficult to ascertain - which is very often the case with cyber - it will be difficult for insurers to apply the exclusion.
As the potential for large cyber losses rises, so does the potential for disputes between insureds and insurers.
In January a New Jersey court ruled in favour of German pharma giant Merck, which estimated that it suffered more than $1.4 billion in losses from NotPetya. Merck's insurer, ACE American, had refused to pay out on the grounds that NotPetya was an instrument of war created by Russia as part of its intimidation campaign against Ukraine.
"Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare," the court decided. It even noted that "no court has ever applied a war (or hostile acts) exclusion to anything remotely close" to the NotPetya attack.
Lloyd's will be hoping that more robustly-worded policies can save its underwriters from being drawn into ugly disputes of that kind. Newman believes that excluding cyber war from primary insurance forms makes it more likely that the market will see a separate cyber war insurance market emerge - as already exists in marine and aviation.
“This will attract more capital,” Newman says. “It means policyholders won’t miss out, they will have the option to buy this cover back if they really want to.”
For insureds concerned watching carefully the progress of a hot war on the European continent, this could be highly appealing.