Lloyd’s of London will require its underwriters to include exclusion clauses for state-backed cyber-attacks in all cyber-risk policies underwritten at Lloyd’s from 31 March 2023. This comes in the wake of geopolitical developments such as the war in Ukraine. In addition, controversies regarding alleged Russian state interference in the French and U.S. elections have elevated concerns that major state-backed cyber-attacks could result in catastrophic losses for insurers.

Most commercial insurance policies issued in London have included terrorism/war exclusions for many years. Some countries have as a result established terrorism pool coverage schemes to facilitate continuing cover. However, insurers began to fear that cyber policies, which are a relatively new underwriting class, could still be vulnerable to massive claims arising from state-backed cyber-terrorism. Legal precedents defining “acts of war” in the insurance context date back for centuries and are challenging to apply to emerging cyber-terrorist acts. Identifying whether a cyber-attack is politically motivated is not easy. Insurers were concerned that existing standard terrorism/war exclusions would be inadequate to exclude liability in case of a major state-backed cyber-terrorist incident.

Lloyd’s Underwriting Director Tony Chaudhry explained in a recent market bulletin that “the damage these attacks can cause and their ability to spread creates a systemic risk to insurers”. He further stated: “When writing cyberattack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force”. The Lloyd’s marketplace is therefore requiring that all standalone cyber policies must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state-backed cyberattack. These clauses must be in addition to any terrorism/war exclusion. The bulletin further stressed that underwriters need to understand the full scope of cover they are providing.

Minimum exclusion requirements

Buyers of insurance need to be aware that they will have some influence over the extent of the exclusions imposed on their cover by insurers. According to Lloyd’s, at a minimum, the state-backed cyberattack exclusion must:

• Exclude losses arising from war, declared or not, where the policy does not have separate war exclusions
• Exclude losses arising from state-backed cyberattacks that either significantly impair the ability of a state to function or that significantly impair the security capabilities of a state
• Be clear whether cover excludes computer systems that are located outside any state which is affected by the state-backed cyber-attack
• Set out a robust basis by which the parties agree on how any state-backed attack will be attributed to one or more states.

In an Irish context, an obvious case in point was the cyberattack in 2021 on the Irish Health Service Executive (HSE) which paralysed the national hospital system for several weeks. Arguably, if it could be shown to have been state-backed, this would have been a cyberattack that “significantly impair(ed) the ability of a state to function”. Losses arising from such an attack would, under the new rules, be excluded from any coverage underwritten in London going forward.

However, Lloyd’s is not requiring that all losses arising from state-backed cyberattacks must be excluded in all circumstances. There continues to be scope for underwriters to offer some level of coverage. The precise scope of coverage offered by underwriters remains open to negotiation. The London Market Association (LMA) has produced four precedent exclusion wordings, each of which will satisfy the Lloyd’s minimum requirements, but which have different levels of impact. Buyers of insurance will need to understand, together with their insurance advisers, what coverage remains possible for the London market to offer them and the impact of any standard LMA exclusion that underwriters seek to impose.

Clarity on cover

The Lloyd’s bulletin is intended to provide clear guidance to insurers who are writing in this class of business. The bulletin stated: “We consider the complexity that arises from cyberattack exposures in the context of war or non-war state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”

Next steps

Commercial buyers of cyber insurance need to take the same approach as underwriters. Buyers must ensure that their policy wordings are legally reviewed to verify that they are sufficiently robust for their needs. No insurance buyer wishes to find itself in dispute with its insurers in the wake of a major cyberattack regarding whether its losses are covered or not!

For further information on this topic, please contact a member of our Financial Regulation team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.