If you are looking to establish or renew cyber insurance coverage with Lloyd’s of London in 2023 or beyond, don’t expect any assistance with nation-state attacks. Beginning in April of next year, the insurer will drop coverage for a wide range of attacks that can be “inferred” to stem from the actions of an advanced persistent threat (APT) group engaging in a fairly loose interpretation of cyber war.
The development continues a general push by insurers to have cyber attacks swept under the “acts of war” exemptions that are common to policies, but there are serious questions about how that attribution will be made for the purposes of cyber insurance coverage. Lloyd’s appears to be first going to official government attributions as a source; while those are sometimes not backed by evidence visible to the public, it is going a step further by reserving the right to make its own inferences in certain cases in which there has been no official attribution.
Lloyd’s cyber insurance coverage drops “catastrophic” nation-state attacks as of March 31
When determining whether or not to deny cyber insurance coverage, Lloyd’s will first turn to official attributions from a limited set of trusted nations. That by itself could create controversy and legal challenges, given that demonstrable evidence may be classified or governments may themselves be making inferences rather than having incontrovertible proof.
But things get even more turbulent if these governments “take an unreasonable amount of time” in making an attribution or are “unable” to. Lloyd’s grants itself the ability to make an “objectively reasonable” call of its own in these circumstances. It also adds that this may apply to groups “acting on the behalf” of a nation-state, which could be applied to independent criminal groups that declare support for a government (i.e. Russia) but are not acting under orders from it.
All of this comes as organizations are struggling to maintain adequate cyber insurance coverage, as premiums have spiked and limits have been substantially reduced across the market since 2021. Vague attribution of nation-state attacks could thus be an existential threat if the cost of a ransomware incident stretches into the tens of millions of dollars, especially for small and medium-size businesses.
Indirect damage from nation-state attacks might also not be covered
It’s relatively rare for nation-state attacks to do damage to private companies, outside of perhaps stealing privileged information. Insurer concerns are centered more on unintended consequences of exchanges by enemy nations, such as the global fallout of the NotPetya attack (which was intended to be a targeted action against Ukrainian businesses). Insurers want incidents such as these to be viewed by the law as the sort of “acts of war” that have traditionally been exempt from policies.
Organizations are seeking more cyber insurance coverage just as insurers are pulling back, as ransomware and scams have gone into overdrive since the beginning of the Covid-19 pandemic. If other insurers follow Lloyd’s, nation-state attacks could cause an even greater degree of chaos to critical infrastructure, finance and health care organizations among others.