This new mandate by Lloyd’s of London could mean that the wider insurance market will have to adopt similar Cyber Security and exclude state-backed cyberattacks and war from their policies.
This could lead to a stream of litigation for Lloyd’s of London, but impact the entire industry.
The Lloyd’s mandates to name and shame cyber-attacks come amid heightened public awareness of cyber risk.
The Ukraine War has further increased the Russian government’s dependence on technology in terms of the information it generates, and in turn has made public awareness of cyber risk more prominent.
What does cyber insurance look like?
When considering cyberattacks, state actors might have additional features which have to be taken into account.
Lloyd’s released its August 16 market bulletin which raised the risks of cyberattacks from state actors, stating that their features should be considered because it poses a greater risk then any other cyberattack.
When writing about cyberattack risks, an underwriter must take account of the idea that state-backed attacks may occur outside of a war involving physical force.
The damage these attacks can cause and their ability to spread creates a similar systemic risk to insurers.
The company has been increasing in the cyber arena, first by requiring that policies have an explicit digital treatment from 2020.
In an update to a policy issued in November, Lloyd’s said that the changes were needed due to “clarification of the phrase ‘war-fighting cyber-attack’.
However, new guidelines for syndicates are in place and require that their content is of a high standard.
It’s likely that other money saving changes to health insurance will happen on March 31.
But the authors warn of potential “grey areas”, where it might be hard to determine whether an attack is state-backed or not, and of litigation that could arise.
Cindy Jordano, partner at Cohen Ziffer Frenchman & McKenna, New York warns that when new exclusions and policy language are combined, it may result in litigation.
Jordano, who is a Senior Research Director at Celent, predicts that other insurers will be following suit in a big way in the near future and may be more opportunistic than Lloyd’s of London.
Insurers may face challenges in proving that exclusions apply “unambiguously to any given case”
“It’s going to be difficult in practice to enforce these exclusions,” Jordano said. “Anonymity makes it very difficult to identify cyberattacks and blend in those who are behind them.”
John Pennick, chair of the British Insurance Brokers’ Associations’ cyber focus panel, says that online brokers could face multiple concerns due to recent changes in the industry.
These issues include fears of reputation problems.
“If the business takes care of the situation they run into ransom, a business may end up closing, or insurance companies may not decide that it was actually an attack and it was. Then the damage might have already been done.”
While some stakeholders have raised the alarm on the changes, Chris Gissing, business development representative at Arete Response, talked about what other companies
are doing by shifting to AI, saying “we’re not seeing a lot of responsiveness to our concerns.”
Lloyd’s of London is acting to affirm its support for cyber insurance, which is a key market concern.
As an influx of activity in the sector siphons on liability-based operations and traditional carriers adopt levels of prudence that lack teeth and visible progress
Lloyd’s’ endorsement of such an important industry is not only encouraging, but vastly overdue.
Thanks to increased underwriting controls and the implementation of multiple measures, it is no longer possible for an insured person to obtain a policy that covers ransomware.
Let’s talk about cyber insurance
Gissing set out, to identify whether attacks were state-backed.
“The anonymity of the internet makes it incredibly difficult to attribute an attack to either a nation state or a criminal organization with total confidence,” he said. “That’s even without addressing the grey area of those crime
organizations that are potentially state-backed, sympathetic to the center or even hacktivists.”
Although the exclusions could create more disputes over policyholder reimbursements, the lack of a uniform standard for identifying a “state-backed cyber attack” has created confusion.
The cyber response firm employee said he hoped that increased collaboration and public-private resources would lead to a more effective law enforcement program.
86% of people in a recent poll believe they have been targeted by a cyber attack by an organization acting on behalf of a country. This is because the mostly clear lines between state and non-state cyber attacks are blurring.
Trellix and the US Center for Strategic and International Studies surveyed 800 IT security decision makers from the US, Germany, the UK, France, Australia, Japan, and India between November and December.
Countries across the globe have different cyber objectives, and Israel is no exception. Russia, China, Iran, and North Korea (who reportedly seek money) all experienced a big spike in cybercrime in 2021.
Chainalysis discovered that digital assets were compromised to the tune of nearly $400 million by the time that year came to a close.
Cyberattacks committed by a successful nation-state target organizations with an average cost of $1.6 million and also typically target companies, church leaders, and doctors.
“Beek said that 63% of IT decision makers have high confidence in being able to differentiate the types of incidents,” said Beek.
With a comprehensive cybersecurity strategy in place, organizations are better prepared to quickly deal with malicious state-backed attacks, which generate an out-of-service deadline.