Insured ‘cannot wait’ for government declaration of cyber warfare

“If we rely on government declarations, we run the risk of being politically motivated.”

In August, Lloyd’s clarified that from the end of March 2023, its management agents will need to ensure that war exemptions are up to date in terms of cyber policy.

In a market bulletin, Lloyd’s said it would be “satisfied” if a company met this standard by using any of the four cyberwarfare exclusion clauses drafted by the Lloyd’s Market Association, but any of these clauses you don’t have to use Get another one that meets your criteria.

The order may have been intended to provide clarity to the market and the insured, but in the aftermath of the announcement, both inside and outside the insurance market, the difficulty of identifying the source of the attack , the risk of litigation and the possibility of insurance being damaged. Despite widely reported anecdotal interest stemming from the Russian-Ukrainian conflict, buyers may pull the covers off.

read more: Neuroid Cyber ​​Directives Fuel ‘Gray Zone’ Concerns

Much of the criticism and concern stems from the misconception that Lloyd’s forces companies to use one of the LMA clauses. This suggests that the “major but not exclusive factor” is state governments that have confirmed they have been victims of cyberattacks. According to Newman.

For brokers, including John Pennick, Chairman of the Cyber ​​Panel of the British Association of Insurance Brokers in the UK, Insurance business Last month, significant concerns arose over the attribution of attacks. There are concerns not only about how long this will take, but also whether there is any political motivation for state governments to declare or not declare a suspected attack from another state.

“There is some confusion that Lloyd’s mandate is somehow related to the LMA exclusion,” said Newman, who predicted that most underwriters would not adopt any of the four LMA clauses.

“I personally think that these exclusions have inherent weaknesses and how they are drafted, and that is not the basis for us to draft them,” he said. added.

Newman suggests that underwriters, especially those working with small businesses, are likely to look internally or elsewhere for compliance clauses.

“[The LMA clauses] It’s drafted as if everyone in the world is a multi-billion dollar corporation, relying on insurance to protect their balance sheets and waiting 12 months for payments.

“Those claims [coming from smaller enterprises] Nation-state attacks or not, we can’t wait six months for insurance companies to settle.

“We have to accept that the attribution that needs to be done more quickly may be less accurate. If both parties agree, I think that’s fine.”

In Newman’s view, delegation itself is “absolutely necessary”.

“Institutions like Lloyds need to force people to update their wording and make sure it is clear for both insurers and insured persons,” he said.

“The reality is that this new order does not exclude any new claims that would otherwise have been covered, all of which the market intended to exclude using the war exclusion. because it is a false claim.”

The problems caused by relying on war exclusions drafted before cyberwarfare or electronic warfare was developed were evidenced in the US January ruling. The ruling ruled in favor of pharmaceutical giant Merck in a lawsuit against an insurance company.

Merck was seeking US$1.4 billion for losses incurred when 40,000 computers were infected with the NotPetya malware in June 2017.

Read the following: CFC Response to Dial Reset for Proactive Cyber ​​Solutions

The insurer had claimed the losses were not covered by its “all risks” policy because the malware was used as a tool for the Russian Federation in its hostilities against Ukraine.

The judge sided with Merck, going so far as to criticize the insurer for “failing” to update its policy language to reflect cyber developments.

New Jersey Superior Court Judge Thomas Walsh noted that the language used in the policy had been “substantially the same over the years.”

According to Newman, Lloyd’s order to prevent a recurrence of the Merck judgment can be divided into three parts.

The first is to clarify that when insurance companies exclude warfare, they also exclude electronic warfare.

“Evidently, electronic warfare is an electronic attack by a nation state against another nation state, but to be considered cyberwarfare it must have a significant detrimental effect on the nation attacked and thus meet the threshold and criticality. In plain language, that’s what we call war,” Newman said.

The second element is to clarify whether incidental damages are covered. For example, the NotPetya ransomware targeted by Merck’s allegations could have undoubtedly targeted Ukraine, but it infected systems around the world.

“The order simply states that insurers must make it clear whether they intend to cover or exclude collateral damage,” Neumann commented.

The third is to ensure that the insurer has defined how it decides how to identify the source of a potentially state-sponsored attack.

“People say it’s very difficult to do attribution in the context of electronic attacks, and it’s true, [Lloyd’s] “Well, it’s complicated, so write down how you’re going to do the attribution instead of figuring it out when the claim comes up,” Newman said.