TLDR
Lloyd’s of London has directed that commencing in March 2023, underwriters are to exclude losses arising from any “state backed cyber-attack” from all standalone cyber-attack policies.[1] Attributing a cyber-attack to a particular state is fraught with technical and definitional problems, which are bound to be the subject of dispute between insurers and insureds. In the absence of attribution by a government, insurers bear the burden of proof.
Background
The market for cyber risk insurance is rapidly growing. It has been reported that the global cyber insurance market size was USD $6.15 Billion in 2020 and is projected to grow to USD $36.85 billion in 2028.[2]
Lloyd’s Underwriting Director, Tony Chaudhry, recognises that “cyber related business continues to be an evolving risk”, and one which “has the potential to expose the market to systemic risks that syndicates could struggle to manage.”
This is not the first time that Lloyd’s has sought to clarify or limit cover for cyber risks. In 2020, Lloyd’s issued a Market Bulletin requiring that all policies specify whether cyber cover is provided by either including affirmative cover or by excluding it.[3] This requirement targeted ‘Silent Cyber’, which refers to potential cyber risk exposures contained in traditional property and liability insurance policies by implication, i.e., by not being explicitly excluded. This is also known as ‘non-affirmative’ cyber insurance.
Lloyd’s Market Bulletin issued 16 August 2022 highlights that more recently, market focus has shifted to cyber-attack losses arising from attacks sponsored by sovereign states. While Chaudhry acknowledges that some managing agents are already using clauses specifically designed to exclude cyber-attack exposure arising from state backed cyber-attacks in war and non-war circumstances, the new exclusion requirements are proposed as necessary to establish consistency and to ensure that syndicates are managing exposures in a way that provides the parties with clarity of cover, means risks can be properly priced and reduces the likelihood of disputes.
The changes emerge against a backdrop of heightening political tensions. For example, recent cyber operations including distributed denial-of-service (DDoS) attacks against the Ukrainian banking sector on 15 and 16 February 2022, which are thought to have involved the Russian Main Intelligence Directorate (GRU).
This attack provides a rare example of public attribution by governments of a state based cyber attack. In this case, the Australian, United Kingdom and United States Governments jointly attributed the Ukraine attacks to the GRU.
What is required
Under the Lloyd’s directive, all standalone cyber-attack policies must include, unless agreed by Lloyd’s, “a suitable clause excluding liability for losses arising from any state backed cyber-attack”, which at a minimum must:
- exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
- (subject to 3) exclude losses arising from state backed cyber-attacks that
(a) significantly impair the ability of a state to function; or
(b) significantly impair the security capabilities of a state; - be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack;
- set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states; and
- ensure all key terms are clearly defined.
The standalone exclusion clause must be included in addition to any war exclusion (which can form part of the same clause or be separate to it).
The Bulletin provides that the requirements above will be satisfied where market agents adopt any of the four model clauses addressing state backed cyber-attacks published by the Lloyd’s Market Association (LMA) in December 2021 (issued as LMA21-042-PD) (Model Clauses).
Practical challenges
Considering Model Clause No. 1 (LMA5564) as an example, we note below some of the challenges that the Lloyd’s proposed exclusion would face in practice.
Attribution of a cyber operation to a state
Under LMA5564, in determining attribution of a cyber operation, the primary—but not exclusive—factor would be any attribution made by the government of the state where the affected computer system is physically located. This includes attributions made by the state’s intelligence and security services.[4]
This is problematic since governments very rarely publicly attribute an attack to a particular state, and usually only in significant cases that threaten national security. The reasons for this may include a reluctance to disclose intelligence methods and sources, as well as a fear of diplomatic and economic repercussions. Intelligence and security services themselves are unlikely to make public statements on such issues.
Examples of the Australian Government making a public attribution are few and far between. The Australian government has publicly attributed malicious cyber activities to another state on only eight occasions.[5] The GRU attribution referred to above is the most recent. In July 2021, the Australian Government – again in concert with the UK and US Governments – was prepared to publicly attribute “malicious cyber activity to China’s Ministry of State Security.” About a year earlier, the then Prime Minister stopped short of naming a particular state, referring to Australian organisations “being targeted by a sophisticated state-based cyber actor”.
These attributions were all made under the previous LNP Government. It remains to be seen how the current Labor Government will approach public attribution. It is suggested that they are likely to be similarly cautious in this regard. In relation to the recent highly publicised data breach affecting Optus, the Minister for Cyber Security has rejected suggestions from Optus' CEO that this was a "sophisticated attack" indicating that the Government does not consider this to be a state based or sponsored attack.
Apart from the political issues, the task of attribution is incredibly difficult from a technical perspective. It is well known that cyber-attacks can be carried out in such a way as to obfuscate their origin. For example, it is common for threat actors to route attacks through servers located in multiple jurisdictions to conceal their origins, or to include a ‘false flag’. This may involve, for example, including snippets of code usually associated with a particular group or carrying out activities during certain windows of time to correspond with business hours in a particular geographical location.
“Objectively reasonable” inference
If the government of the state where the affected computer system is physically located fails to make any attribution or takes an unreasonable time to do so, the onus of proof is on the insurer to prove attribution by reference to such other evidence as is available. Attribution may be to another state or an individual acting on its behalf.[6]
It is unclear how an insurer would be qualified to assess whether an inference as to attribution is “objectively reasonable”. Though insurers may rely upon findings by the relevant forensic investigator, such an inference would presumably have to be drawn from publicly available sources, since insurers do not have access to official sources of intelligence available to states such as Australia, the UK and US (including by way of intelligence sharing arrangements).
Separately, it is not apparent what distinguishes conduct that could be considered to be carried out “on behalf” of a state. Would this term capture non-state actors who operate in a permissive regulatory environment, e.g., in circumstances where the cyber attackers’ conduct is prima facie illegal, but the laws are not enforced by the state in circumstances where it might suit that state's foreign policy objectives not to do so?
Further, what constitutes “state backed”? Lloyd’s Market Bulletin refers variously to “state backed” attacks, “attacks sponsored by sovereign states” and “cyber-attack risks involving state actors”. The term “state backed” could refer to attacks for which the state has offered some form of financial or other support, or the concept may embrace a broader range of activities, such as those carried out by actors who are sympathetic to the objectives of the state.
These concepts would benefit from further development and clarification if the stated objective of the new requirement is going to be met, i.e., to establish consistency and to ensure that syndicates are managing exposures in a way that provides the parties with clarity of cover.
Conclusion
In an ever-evolving threat landscape, where both the likelihood of cyber-attack and the costs associated with remediation continue to grow, it is becoming increasingly important for insurers and insureds to have clarity of coverage. As the cyber insurance market hardens, insurers’ risk appetites shrink, and limits, pricing and coverage evolve accordingly. As insurers update standalone cyber-attack policies to meet the new exclusion requirement, clarification of core concepts will be central to ensuring that policies provide meaningful cover.
Lloyd’s Market Bulletin Y5381: State backed cyber-attack exclusions, 16 August 2022: https://assets.lloyds.com/media/eb6de9ce-293b-4213-80f8-9dc69c45b1a9/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf (accessed 6 September 2022).
Cyber Insurance Market Size, Share & COVID-19 Impact Analysis, By Component (Solution and Services), By Insurance Type (Standalone and Tailored), By Coverage Type (First-Party, Liability Coverage) By Enterprise Size (SMEs, Large Enterprise), By End User (Healthcare, Retail, BFSI, IT & Telecom, Manufacturing and Others), and Regional Forecast, 2021-2028, Fortune Business Insights, January 2022, URL: https://www.fortunebusinessinsights.com/cyber-insurance-market-106287 (accessed 6 September 2022).
Lloyd’s Market Bulletin Y5258: Providing clarity for Lloyd’s customers on coverage for cyber exposures, 4 July 2019, URL: https://assets.lloyds.com/assets/y5258-providing-clarity-for-lloyd-s-customers-on-coverage-for-cyber-exposures/1/Y5258%20-%20Providing%20clarity%20for%20Lloyd%E2%80%99s%20customers%20on%20coverage%20for%20cyber%20exposures.pdf (accessed 7 September 2022).
Cl. 3, LMA5564 - War, Cyber War and Cyber Operation Exclusion No. 1, URL: https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx
Australia’s International Cyber and Critical Technology Engagement Strategy, 2021, p. 44 URL: https://apo.org.au/sites/default/files/resource-files/2021-04/apo-nid311927.pdf (accessed 19 September 2022).
Cl. 4, LMA5564 - War, Cyber War and Cyber Operation Exclusion No. 1, URL: https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx
Our experts, industry leaders, regulators and government explored key digital and cyber trends, regulatory insights and more at the KWM Digital Future Summit in November 2022. Read our takeaways or watch it on-demand here.
