Greg Eskins
Managing Director, Cyber Risk Practice
Fostering and maintaining a sustainable cyber insurance market requires transparency, regardless of a given issue’s complexity. The underwriting process demands much from cyber insurance buyers — including demonstrating resiliency to ever-evolving and sophisticated threats. In return, they expect clarity of coverage, contract certainty, and an understanding of pricing mechanisms in order to make informed decisions about the coverage they are buying and the value derived.
Since releasing our analysis of the Lloyd’s Market Association’s (LMA) model war, cyber war, and cyber operations exclusions earlier this year, Marsh has continued discussions with Lloyd’s syndicates, insurers, the LMA and their legal advisors, and other market participants regarding the concerns we originally raised.
Through our discussions, a number of market participants articulated their intent to adopt one or more of the LMA model exclusions in some form or fashion. One market participant in particular — Munich Re, a leading re/insurer — expressed an interest in addressing the concerns we raised via collaboration on a modified version of the LMA 5567.
In the spirit of transparency, we share here a high-level summary of themes explored through our work with Munich Re, including that:
We appreciate the flexibility and openness of those who agreed to engage in discussions, including the LMA and their legal advisors, and especially Munich Re for collaborating, listening, and responding to a number of concerns we expressed on behalf of our clients.
The result of our collaboration can be accessed here.
On August 16, 2022, Lloyd’s released market bulletin Y5381, establishing new requirements for syndicates at Lloyd’s in their handling of war exclusions and state backed cyberattack coverage for class codes CY (cyber liability) and CZ (cyber property damage).
A market bulletin is the formal means of advising Lloyd’s syndicates to take an action. This particular bulletin establishes a new requirement that all policies falling within the above noted codes include a “suitable clause” excluding losses arising from any state backed cyberattack in accordance with requirements set out within the bulletin. The clause must be in addition to any war exclusion, which can form part of the same clause or be separate to it.
The new bulletin is effectively (1) a restatement of the existing prohibition on covering war risk and (2) clarification, for the purposes of Lloyd’s regulations, that syndicates must also account for their exposure to a non-physical, cyber enabled state-on-state attack, which may be as harmful as a physical act of war.
It is important to note that Lloyd’s does not require an absolute exclusion for state backed cyberattacks, irrespective of the scale of the impact. Instead, such attacks must be excluded when they cause a significant impairment to another state (see requirement 2).
Additionally, syndicates may give back coverage for collateral damage in another state that is affected, but not significantly impaired.
Lloyd’s also requires a “robust” method for two parties to agree on attribution, rather than allowing syndicates to effectively say, “we will decide.” However, Lloyd’s confirmed to us that this method need not be set out in the exclusion itself.
While the bulletin references the four recent LMA war and cyber operations clauses from December 2021, it does not mandate the use of those exclusions — a critical detail that some media reports have omitted.
It is yet to be seen how this new requirement will translate into policy language across the Lloyd’s marketplace. However, the distinct possibility of such an action by Lloyd’s and other market participants regarding this requirement is, in part, why we started our work several months ago. For those insurers seeking to introduce cyber operations — also called state backed/sponsored cyberattacks — as a factor in war exclusions to meet this new requirement, we encourage reference to the themes noted above, the Munich Re endorsement, and the concerns we raised in our February analysis to evaluate the proposed wording to ensure it does not overreach.
Marsh remains engaged and committed to further market dialogue to advance policyholder interests, while continuing to collaborate with insurers and other stakeholders to help pave a path forward as the marketplace addresses the evolving nexus between cyber risk, war, and state backed cyberattacks.
Beyond the primary goal of supporting our clients, we hope that sharing our reasoning and the corresponding work product will contribute to the broader cyber marketplace’s understanding of a substantive and complex topic that affects all who do or may purchase a cyber insurance product.
Managing Director, Cyber Risk Practice