Lloyd’s of London defends against cancellation of cyber insurance due to government attack

Lloyd’s of London has defended an upcoming law that would make cyber regulation of the insurance market illegal, following a backlash between brokers and academics.

The move to reduce market risk in the insurance market, which was announced last month and applies to regular cyber plans from the end of March, has prompted warnings that it could lead to legal disputes if some attacks have government support while also restricting essential cover for businesses.

But Patrick Tiernan, head of Lloyd’s markets, said the organization was doing well to create a product that was “just about to enter and not yet enter the world”.

“Often in the past, this kind of correction or change in language is done after the fact . . . after everything has gone wrong,” Tiernan told the Financial Times. “I think this is Lloyd’s responsibility to our customers and participating in the market.”

Another option, he said, would be to raise the cost of insurance, which would increase fuel prices.

Exclusions for military incidents are similar to those for insurance. In its report last month, Lloyd’s said: “The ability of actors to easily spread attacks, the ability to spread malicious code, and the high level of trust that organizations have in their IT skills. . . means that losses can exceed what the insurance market can absorb. “

However, Cindy Jordano, a partner at the law firm Cohen Ziffer Frenchman & McKenna, said the move could raise “questions about whether disclosures are made about other cyber attacks that would otherwise have been covered up”, because it is difficult to say whether the attack was by the government. behind. There could be “serious lawsuits over these decisions”, he predicted.

The terms of cyber warfare vary, and their definition is difficult due to the difficulty of identifying the links of the attackers. Late last year, the pharmaceutical group Merck won a US court ruling that the military exemption should not apply to damages caused by the NotPetya malware attack.

The underwriters have defended the new guidance as an attempt to clarify what, in terms of insurance, is still a small market: the first cyber policy written at Lloyd’s was in 1999.

The new requirement “doesn’t limit the level of privacy we have now,” said Graeme Newman, chief executive of cyber insurer CFC. “After Covid, haven’t we all learned that clarifying our language is good for both the insured and the policyholder?” he added, referring to bitter disputes between the province and businesses over whether epidemic-related losses should be compensated.

Lloyd’s said four models presented by trade body Lloyd’s Market Association in November, aimed at clarity, would meet its requirements – although insurers are not obliged to use the term.

The examples vary in the level of crimes that are not specifically defined but are mainly thought of as “government . . . the extent to which the computer systems affected by cyber activity are physically present indicates that the cyber activity is of another country or those who represent it”.

Josephine Wolff, a Tufts professor and author of a book on cyber insurance, warned in an FT op-ed last week that government-sponsored threats are becoming so widespread that refusing to cover them could lead companies to stop buying policies altogether.

Martin Lilley, head of corporate insurance at Broadway Insurance Brokers in Manchester, which specializes in finding small businesses, said the public demand “sounds like another blow”, and “reflects the over-restriction that exists in the cyber insurance market.” “.

Cyber ​​insurance rates have risen in recent years as insurers pass on the cost of ransomware claims. Lilley cited one client whose annual income rose to £75,000 this year from £10,000 previously. Some businesses are considering removing the cover altogether and keeping their risk, he added.