Lloyd’s Insurers Must Exclude Catastrophic State-Backed Cyber-Attacks
Lloyd’s insurers must exclude state-backed cyber-attacks in standalone (or affirmative) cyber policies if they reach a catastrophic threshold, according to a Lloyd’s market bulletin issued this week.
However, the exclusion would include liability for losses arising from both war- and non-war-related state-backed cyber-attacks.
“Lloyd’s remains strongly supportive of the writing of cyber-attack cover but recognises also that cyber related business continues to be an evolving risk,” said the bulletin. “If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”
From Pandemic to Cyber War, Clear Policy Wording Is Key for Insurers
The bulletin explained “that losses have the potential to greatly exceed what the insurance market is able to absorb.”
In a phased approach starting in 2020, Lloyd’s began to require all policies to specify whether cyber cover is provided by either including affirmative cover (via a standalone cyber policy) or excluding it.
“[W]hen writing cyber-attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers,” said the Lloyd’s market bulletin No. Y5381, published on Aug. 16.
Many Lloyd’s managing agents are already including clauses in their policies specifically designed to exclude cyber-attack exposure arising both from war and non-war, state-backed cyber-attacks, the bulletin affirmed.
“We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings. We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”
At a minimum, the bulletin said, the state-backed cyber-attack exclusion must:
“For the 2023 year of account business planning process, we will be discussing with managing agents the clauses that they will be agreeing for use in standalone cyber-attack policies,” said the bulletin.
Managing agents must demonstrate that the clauses they will be adopting meet the these requirements, it continued. “Where managing agents wish to diverge from the requirements set out in this guidance, they will need to provide a robust explanation for their approach and receive agreement from Lloyd’s.”
LMA Model Clauses
The Lloyd’s Market Association (LMA) has already produced suitable model clauses that address state-backed cyber-attacks, issued as “LMA21-043-PD,” according to the bulletin, which would safisfy the requirements set out in the bulletin.
Managing agents must decide on which clause they wish to adopt, provided they can demonstrate the clause meets the market requirements, unless they receive a dispensation from Lloyd’s.
The new requirements take effect from March 31, 2023, at the inception or on renewal of each policy. There is no requirement to endorse existing, in force policies, unless the expiration date is more than 12 months from March 31, 2023.
In implementing the requirements set out above, the bulletin reminded managing agents that they also need to have regard to the terms of their reinsurance programs, to ensure they provide appropriate, back-to-back cover.