Lloyd’s to Exclude Global Cyberattacks Under Insurance

Lloyd’s of London Ltd. will require its insurance teams around the world to remove government-sponsored hacks from stand-alone insurance companies starting next year.

Lloyd’s is a marketplace where approximately 75 syndicates of underwriters come together to provide insurance to businesses, organizations and individuals. By March 31, when coverage begins or is renewed, organizations must abandon state-sponsored attacks to policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said. the issue of Aug. 16.

The move is designed to ensure that insurers clearly define what they can and cannot cover, as the potential for government-run hacks to spread and cause damage could pose a risk to the insurance market, the notice said.

At least, Mr. Chaudhry said, the policy should have clauses that do not include the loss of war, declaration or otherwise, where the policy does not have a different war. They must also eliminate losses when a state-sponsored attack has catastrophic consequences for the affected country and disrupts its operational capabilities. There should also be a strict way in which the parties choose to be destroyed, according to the notice.

A spokesman for the company said: “Cyber ​​remains a priority for Lloyd’s. The advice given last week, following discussions with our market, is to ensure we are taking the appropriate risk as a market as we approach this critical sector with the expertise and diligence required.”

While it is easy to rule out an openly declared war, determining the consequences of a state-led cyber war is difficult. For example, drawing a line between a terrorist group simply supporting a country, or acting as an agent of the government, is difficult, US officials have said in the past. Brokers said that determining the extent of the damage caused by the attack, which could lead to unavailability, is also difficult.

“For most market participants, it’s not so much about government activity as it is when the level of activity reaches the financial crisis,” said Gregory Eskins, director of the US and Canadian industry at Marsh’s trading group. of Marsh & McLennan Cos. “This is something we all struggle with.”

Insurers have been looking for ways to tighten the language in their policies, especially after a New Jersey judge last year ruled in favor of Merck & Co. thinking it was eligible for reimbursement from its insurer after the 2017 cyberattack. Merck was hit by the NotPetya virus, which it said cost $1.4 billion to recover. The company’s property and casualty insurers initially rejected the claim on the grounds that it was not related to war. In that case, the judge said Merck could not be expected to know that the war exclusion would apply in such cases, especially declaring that the war exclusion does not apply to cyber attacks.

One of the reasons why insurers are increasingly covering government-sponsored crimes is the economic damage they can cause. Mondelez International food company Inc.,

which was also a victim of NotPetya, cost $100 million as a result of the attack, while Britain’s National Health Service said the WannaCry virus cost more than $100 million. The US government has attributed NotPetya to Russia and WannaCry to North Korea. Both countries refuse to participate.

Cyber ​​insurance, which has become an important market due to the increase in threats in recent years targeting companies of all sizes, has been undergoing a period of renewal in recent months, as carriers better understand how to comply and value the risk they are. screen.

Lloyd’s new requirements represent an “evolution” in how the insurance industry is moving online, said Thomas Reagan, head of the US and Canada at Marsh, but the new requirements also pose challenges.

“Like all these things to some extent, it’s two steps forward and one step back,” Reagan said. While the bulletin provides certainty and clarity to Lloyd’s expectations, he said, it also creates uncertainty for policyholders, such as whether a cyberattack has been delivered.

Excluding war in particular has been a hot debate within the cyber insurance industry for years, but Russia’s attack on Ukraine in February has also raised concerns that a large-scale cyberattack, such as one that takes out infrastructure, could lead to losses for insurers. . The relative youth of the cyber insurance market means there is a lack of consistency in terms and exclusions, ratings firm Moody’s Investors Service Inc., a division of Moody’s Corp., said in a June statement.

“In US cases, insurers must demonstrate that the insurance exclusion applies to the case. This places the burden of proof on insurers in the case of military exclusions,” Moody’s researchers said in the letter. Moody’s declined to comment on Lloyd’s case.

While Lloyd’s requirement is important because it aims to remove uncertainty about when and where the waiver will be applied to the policy, it can also harm victims, said Joshua Motta, chief executive of insurance firm Coalition Inc., which provides specialized online information.

“Another implication is that policyholders may be left without help or difficult services from their insurers while waiting for the government to pay,” he said.

Lloyd’s Market Association – the trade group of managers, or leading companies – has come up with a series of contractual attacks in November 2021 that will not include government-sponsored cyber attacks to prevent cyber attacks. Lloyd’s said in a statement on Tuesday that the use of these clauses will meet its requirements.

More from WSJ Pro Cybersecurity

Write to James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8