Lloyds of London, which describes itself as ‘the world’s leading insurance and reinsurance marketplace’, has clarified its position on war exclusions and cyberattack cover. It will require its underwriters to include such an exclusion based on its definition of cyberwar in future cyber insurance policies.
The argument is clear and simple: the rising cost of cyber insurance payouts. “In particular, the ability of hostile actors to easily disseminate an attack,” announces (PDF) Lloyd’s, “…means that losses have the potential to greatly exceed what the insurance market is able to absorb.”
The new exclusion will come into effect from March 2023 at the inception of new or renewal of existing cyber insurance policies. This is not a withdrawal from the cyber insurance market in general, but potentially a retraction from one of industry’s primary causes of concern: geopolitically motivated destructive cyberattacks.
Over the last few years, the insurance industry has struggled to keep pace with ransomware costs and has been forced to repeatedly increase both premiums and insurance exclusions. Now Lloyd’s is worried about the potential cost of cyberwar.
A basic war exclusion clause has always been part of insurance – but Lloyds is clarifying (and expanding) its definition of cyberwar. It is making clear that an act of cyberwar is not dependent on a physical declaration of war nor the existence of physical (kinetic) hostilities between two or more nations.
Nor, in fact, does a cyberattack need to be delivered by a recognized state or state actor for it to be classified as an act of cyberwar and therefore excluded from a cyber insurance policy. The result could be contentious.
Lloyd’s has provided four model clauses from which its underwriters should choose. In each case, an insurance payout is excluded if the attack is attributed to a foreign state. But as with all cyberattacks, attribution can be tricky.
In all four model clauses, “The primary but not exclusive factor in determining attribution” is whether the victim’s intelligence or security agencies make that attribution. This is clear and unlikely to cause any issues. However, it is the ‘but not exclusive’ phrase that could cause problems.
This is expanded with, “Pending attribution by the government… the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.”
The problem here is the phrase, ‘or those acting on its behalf’. Many adversarial cyber nations both run their own threat actor groups and use non-state proxy groups. For example, many Russian Federation ransomware gangs, if not run by government agencies, are known to and tolerated by the government.
Vladimir Putin infamously suggested that it may have been ‘patriotic’ private Russian hackers – not the Russian government – that interfered in the US 2016 elections. In this case, his assertion would have been overridden by the clear US government attribution of the hacks to the Russian state. But there are many cases where such patriotic Russians are thought to have a connection with the Russian state and where their actions align with state politics but there is no – and cannot be any, absolute proof.
Consider also the AcidRain cyberattack against Viasat at the outset of Russia’s invasion of Ukraine. There can be little doubt that this was an act of cyberwar by Russia against Ukraine designed to degrade the Ukrainian army’s battlefield communications. There would be no payout on any Ukrainian cyber insurance.
But the effect of the AcidRain attack spilled out of Ukraine and affected 5,800 wind turbines in Germany. There has been no official western attribution of AcidRain. However, security researchers, such as SentinelLabs, make connections that lead AcidRain to either Sandworm or APT28 – both of which are thought to be operated by Russia’s GRU (the foreign military intelligence agency).
No formal attribution – but would the work of private security researchers be sufficient to give insurers ‘an inference which is objectively reasonable as to attribution’? Would the operators of the German wind turbines be able to claim for loss under an insurance policy?
This is all hypothetical – a thought experiment to consider the implications of Lloyd’s of London’s future war exclusion clause. There may be political reasons for a government to decline to publicly accuse a foreign government of a cyberattack. Under such circumstances, the Lloyd’s underwriters could still infer an act of cyberwar based on current geopolitics and private security researchers’ conclusions.
But what would that require? Just one researcher, or multiple researchers? What level of confidence would be required from the researchers: ‘low confidence’, moderated confidence’, or ‘high confidence’ in their attribution?
Lloyd’s is attempting to safeguard its underwriters and the insurance industry in general from accepting risk that could ultimately be too costly for the insurance industry to cover. But at what cost to the cyber insurance market? Deteriorating geopolitical relations around the world make it increasingly likely that there will be destructive attacks against critical industries.
While companies might view insurance as a potential risk mitigation route, insurers are making it more possible to exclude any payout.