Insurance marketplace provider Lloyd’s of London has informed insurance companies that they must exclude coverage for acts of war and state-based cyberattacks from March 2023.
In a memo written Aug. 16 by Lloyd’s Underwriting Director Tony Chaudh, companies were told that they must exempt coverage for losses “arising from a war,” as well as from state-backed cyberattacks that “significantly impair the ability of a state to function,” or which impact a state’s security capabilities, Recorded Future reports. The memo also stated that syndicates must put in place a transparent system for how to attribute an attack to a state-based actor.
“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” the memo stated.
Lloyd’s is the world’s largest insurance marketplace provider, with the company competing and collaborating to share risk with insurance providers across various industries. The decision to exclude acts of war and state-based attacks will not apply to all companies that offer cyber insurance, but as the industry’s biggest marketplace, it will affect many companies in the sector. The move will also likely be copied by Lloyd’s competitors.
The decision to exclude acts of war and state-sponsored attacks comes amid a surge in cyberattacks this year following the Russian invasion of Ukraine in February. Lloyd’s seems to believe that the overall outlook for cyberattacks will worsen amid increased geopolitical tensions and threats.
“The news that Lloyd’s of London has instructed its members to exclude nation-state cyber attacks from insurance policies beginning in 2023 should serve as a warning sign for organizations not to rely solely on insurance coverage to mitigate possible cyber threats, Erfan Shadabi, cybersecurity expert with data security specialists comforte AG told SiliconANGLE. “If the company has cybersecurity insurance, this could relieve many of the unexpected costs, but even if there is insurance to count on, cyber incident claims are complicated and may not cover all the costs.”
David Lindner, chief information security officer at application security software company Contrast Security Inc. raised the question of how difficult it will be for Lloyds to enforce the exclusions. “Based on their bulletin, it would require the attacked company to declare it a nation-state event which would not work very well,” Lindner explains. “It begs the following questions to be asked – at what point is it a nation-state directly attacking the covered organization and who makes that determination?”