If Lloyds’s exclusion of coverage for state-sponsored attacks is the future for cybersecurity insurance, then the value of that insurance may be diminished.
Cyber related businesses are ‘evolving risk’
Lloyds of London Ltd. issued a market bulletin dated August 16, 2022 setting out new rules for standalone cyber-attack policies that would exclude coverage for damages from state-sponsored attacks.
The bulletin offers guidance on how to make the exclusions to “…all standalone cyber-attack policies falling within risk codes CY (‘Cyber Security Data and Privacy Breach’) and CZ (‘Cyber Security Property Damage’).
"Lloyd’s remains strongly supportive of the writing of cyber-attack cover[age] but recognises also that cyber related business continues to be an evolving risk...[and] that losses have the potential to greatly exceed what the insurance market is able to absorb,” the guidance says.
The new requirements set forth by Lloyds include excluding “losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.”
Lloyds is a London-based insurance and reinsurance marketplace where financial backers gather to pool and spread risk. With a reputation for insuring anything, such as Betty Grable’s legs and Bruce Springsteen’s voice, it’s hardly surprising that policies for damage from cyber-attacks were for sale at Lloyds.
It’s not clear how big a role the Ukraine-Russia war played in this decision. As the bulletin says, damages due to an actual “kinetic” war were always in a separate class of claim. But what is a war these days? In 2007, Estonia was subjected to a massive cyberattack which they blamed on Russia. No war was declared, and Russia denied involvement. Russia was also blamed by the U.S. government for cyberattacks on U.S. interests in the 2016 elections. But the U.S. is not at war with Russia.
Situations like Estonia and Ukraine pose a major problem for such policies: How do the parties establish that the attack was state sponsored? The bulletin says that the now-required exclusion language must “…set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states."
This kind of language could lead to disputes over coverage.
For example, in the Ukraine-Russia war, most of the attacks have been attributed to Russian government entities, according to a report from the Center for Strategic and International Studies.
“Chiefly the GRU, Russia’s military intelligence service, which has a history of using disruptive cyberattacks. In a few cases, proxy groups (such as the leading ransomware group Conti) were also involved,” the report said.
Disputes could arise if it’s not clear where these attacks originated or the actual intention. Does the attack come from government actors or is it simply criminal syndicates seeking cash? Or private parties acting out of “patriotism.”
The Lloyd’s bulletin also draws no distinctions in the type of attack. The attacks on Estonia were DDOS attacks that brought down Internet infrastructure and major websites in the country. These attacks have also been used in the Ukraine-Russia dispute.
If you have cybersecurity insurance and, whether it’s through Lloyds or not, such exclusions are the way of the future, what can you do?
Nobody would ever recommend that you rely on insurance as a primary method of cybersecurity; it’s supposed to be there only if all your defensive technical and business practices fail. But if cybersecurity insurance becomes less valuable, you may want to divert budget from it to strengthen best security practices. There’s always more to do with best practices.
These best practices are well-known and effective:
- Strong user authentication, including two factors
- Rigorous machine identity management
- Prompt application of updates to software
- Adherence to the principle of least privilege
- Develop, test, and continually refine incident response plans, including plans for a ransomware attack
- For more, see this extensive list from the US Cybersecurity & Infrastructure Security Agency (CISA)