Skip to main content

Article

A cyber continuum: Cyber war exclusions — moving towards clarity

Fostering and maintaining a sustainable cyber insurance market requires transparency, regardless of a given issue’s complexity.

Fostering and maintaining a sustainable cyber insurance market requires transparency, regardless of a given issue’s complexity. The underwriting process demands much from cyber insurance buyers — including demonstrating resiliency to ever-evolving and sophisticated threats. In return, they expect clarity of coverage, contract certainty, and an understanding of pricing mechanisms in order to make informed decisions about the coverage they are buying and the value derived.

Beginning to address the challenges of the LMA war, cyber war, and cyber operations exclusions

Since releasing our analysis of the Lloyd’s Market Association’s (LMA) model war, cyber war, and cyber operations exclusions earlier this year, Marsh has continued discussions with Lloyd’s syndicates, insurers, the LMA and their legal advisors, and other market participants regarding the concerns we originally raised.

Through our discussions, a number of market participants articulated their intent to adopt one or more of the LMA model exclusions in some form or fashion. One market participant in particular — Munich Re, a leading re/insurer — expressed an interest in addressing the concerns we raised via collaboration on a modified version of the LMA 5567.

In the spirit of transparency, we share here a high-level summary of themes explored through our work with Munich Re, including that:

  • The endorsement should not serve as a catastrophic risk catchall.
  • The endorsement should clarify the scope of coverage provided resulting from state backed cyberattacks.
  • The endorsement should bring clarity to what constitutes war, and avoid conflation with the concept of a cyber operation.
  • The introduction of new concepts like “cyber operations,” “major detrimental impact,” “impacted state,” and “essential services” should be as clear and unambiguous as possible in order to avoid or minimise disputes as to the meaning of the wording.
  • The inclusion of references to attribution of cyber operations should not change the legal burden of proof, nor should it alter how the policy responds. Attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage.
  • The endorsement should clearly delineate between cyberattacks that constitute or are deployed as part of an ongoing war — and thus are beyond the scope of coverage — and cyberattacks that are not related to a war and so should not be inadvertently excluded.

We appreciate the flexibility and openness of those who agreed to engage in discussions, including the LMA and their legal advisors, and especially Munich Re for collaborating, listening, and responding to a number of concerns we expressed on behalf of our clients.

The result of our collaboration can be accessed here.

Lloyd’s market bulletin addresses state backed cyberattacks

On August 16, 2022, Lloyd’s released market bulletin Y5381, establishing new requirements for syndicates at Lloyd’s in their handling of war exclusions and state backed cyberattack coverage for class codes CY (cyber liability) and CZ (cyber property damage).

A market bulletin is the formal means of advising Lloyd’s syndicates to take an action. This particular bulletin establishes a new requirement that all policies falling within the above noted codes include a “suitable clause” excluding losses arising from any state backed cyberattack in accordance with requirements set out within the bulletin. The clause must be in addition to any war exclusion, which can form part of the same clause or be separate to it.

The new bulletin is effectively (1) a restatement of the existing prohibition on covering war risk and (2) clarification, for the purposes of Lloyd’s regulations, that syndicates must also account for their exposure to a non-physical, cyber enabled state-on-state attack, which may be as harmful as a physical act of war.

It is important to note that Lloyd’s does not require an absolute exclusion for state backed cyberattacks, irrespective of the scale of the impact. Instead, such attacks must be excluded when they cause a significant impairment to another state (see requirement 2). 

Additionally, syndicates may give back coverage for collateral damage in another state that is affected, but not significantly impaired.

Lloyd’s also requires a “robust” method for two parties to agree on attribution, rather than allowing syndicates to effectively say, “we will decide.” However, Lloyd’s confirmed to us that this method need not be set out in the exclusion itself. 

While the bulletin references the four recent LMA war and cyber operations clauses from December 2021, it does not mandate the use of those exclusions — a critical detail that some media reports have omitted. 

It is yet to be seen how this new requirement will translate into policy language across the Lloyd’s marketplace. However, the distinct possibility of such an action by Lloyd’s and other market participants regarding this requirement is, in part, why we started our work several months ago. For those insurers seeking to introduce cyber operations — also called state backed/sponsored cyberattacks — as a factor in war exclusions to meet this new requirement, we encourage reference to the themes noted above, the Munich Re endorsement, and the concerns we raised in our February analysis to evaluate the proposed wording to ensure it does not overreach.

Work continues

Marsh remains engaged and committed to further market dialogue to advance policyholder interests, while continuing to collaborate with insurers and other stakeholders to help pave a path forward as the marketplace addresses the evolving nexus between cyber risk, war, and state backed cyberattacks.

Beyond the primary goal of supporting our clients, we hope that sharing our reasoning and the corresponding work product will contribute to the broader cyber marketplace’s understanding of a substantive and complex topic that affects all who do or may purchase a cyber insurance product.

Our people

Greg Eskins

Greg Eskins

Managing Director, Cyber Risk Practice