The recent announcement on cyber war exclusions from Lloyd’s of London marks the latest evolution in the cyber insurance industry. As such, Jennifer Mulvihill, Business Development Head, Cyber Insurance & Legal at BlueVoyant, comments on the challenges of attribution and what this means for the market.
“While we are all focusing on the announcement this past August 16 it is worth noting that this change has been on the horizon for several months. In late December, Lloyd’s published its new ‘war risks exclusion’ clauses for cyber war and state-attributed cyber operations.
These clauses tried to balance the needs of the private sector and government agencies facing cyber threats, with insurers wanting to offer this type of insurance with certain parameters.
However, war, by definition, is inherently ambiguous. Cyber war even more so.
The core conundrum remains, although now it is mandatory to specifically exempt coverage for losses “arising from a war,” as well as from state-backed cyber attacks that “significantly impair the ability of a state to function,” or which impact a state’s security capabilities. Also, regulations now provide entities with a clear system for how to attribute an attack to a state-based actor.
“Personally, I believe, the move to make any exclusion clear and unambiguous is an important move for insurers; this manages expectations for both the broker as to what’s being sold, and for the insured party as to what they are buying. That in itself helps avoid the type of coverage litigation that emanated from the 2017 Merck attack.
However, as the industry reacts to this mandate, we are all focused on the challenge of attribution — not just the ultimate determination but also the process of determination. Lloyd’s is mandating a “clear system for how to attribute an attack to a state-based actor.” One can only imagine that every syndicate might develop a different system to gain a competitive advantage. In that case, does that diminish the standardisation that Lloyd’s is trying to achieve?
Any system will necessarily include stakeholders who have certain authority and responsibility. Who will want to take on the responsibility to sign off on attribution. Should it be someone from the private sector? Someone from law enforcement? A team consisting of both? And will there be a threshold level of confidence that has to be met before the exclusion can be triggered? What is that threshold? Is it 70% or 90%? What if that determination is wrong? What are the consequences? Could it lead to retaliatory attacks?
What else is the market doing? Lloyd’s has an enviable track record, based on its history but its willingness to be thoughtful about catastrophic and unique risks. However, war coverage tests the boundaries of capacity. It is not surprising that the market would look to see what Lloyd’s is doing and it seems as if Munich Re and AIG might be considering similar exclusions.”