Lloyd’s of London defends against cancellation of cyber insurance due to government attack

Lloyd’s of London has defended an upcoming law that would make cyber regulation of the insurance market illegal, following a backlash between brokers and academics.

The move to reduce market risk in the insurance market, which was announced last month and applies to regular cyber plans from the end of March, has prompted warnings that it could lead to legal disputes if some attacks have government support while also restricting essential cover for businesses.

But Patrick Tiernan, head of Lloyd’s markets, said the organization was doing well to create a product that was “just about to enter and not yet enter the world”.

“Often in the past, this kind of correction or change in language is done after the fact . . . after everything has gone wrong,” Tiernan told the Financial Times. “I think this is Lloyd’s responsibility to our customers and participating in the market.”

Another option, he said, would be to raise the cost of insurance, which would increase fuel prices.

Exclusions for military incidents are similar to those for insurance. In its report last month, Lloyd’s said: “The ability of actors to spread attacks more easily, the ability to spread malicious code, and the greater reliance that organizations have on their IT capabilities. . . means that losses can exceed what the insurance market can absorb. “

However, Cindy Jordano, a partner at the law firm Cohen Ziffer Frenchman & McKenna, said the move could raise “questions about whether disclosures are made about other cyber crimes that would otherwise have been covered up”, due to the difficulty of attributing the attack to the government. behind. There could be “serious lawsuits over these decisions”, he predicted.

The terms of cyber warfare vary, and their definition is difficult due to the difficulty of identifying the links of the attackers. Late last year, the pharmaceutical group Merck won a US court ruling that the military exemption should not apply to damages caused by the NotPetya malware attack.

Underwriters have defended the new guidance as an attempt to clarify what is, in insurance terms, still a small market: the first cyber policy written at Lloyd’s was in 1999.

The new requirement “doesn’t limit the level of privacy we have now,” said Graeme Newman, chief executive of cyber insurer CFC. “After Covid, haven’t we all learned that clarifying our language is good for both the insured and the policyholder?” he added, referring to bitter disputes between the province and businesses over whether epidemic-related losses should be compensated.

Lloyd’s said the four models proposed by trade body Lloyd’s Market Association in November, for clarity, would meet its requirements – although insurers are not forced to use the term.

The examples vary in the level of crimes that are not specifically defined but are mainly thought of as “government . . . the extent to which the computer systems affected by the cyber activity are physically present indicates that the cyber activity belongs to another country or its agents”.

Josephine Wolff, a Tufts professor and author of a book on cyber insurance, warned in an FT op-ed last week that government-sponsored threats are becoming so widespread that refusing to cover them could lead companies to stop buying policies altogether.

Martin Lilley, head of commercial insurance at Broadway Insurance Brokers in Manchester, which specializes in securing small businesses, said the reduced demand “feels like another blow”, and “represents a further restriction on the cover available in the insurance market”. cyber insurance.”.

Cyber ​​insurance rates have risen in recent years as insurers pass on the cost of ransomware claims. Lilley cited one client whose annual income rose to £75,000 this year from £10,000 previously. Some businesses are considering removing the cover altogether and keeping their risk, he added.