国产黑料吃瓜泄密入口

Article

A Cyber Continuum

Cyber war exclusions 鈥 moving towards clarity

This article was first published by Marsh.

Fostering and maintaining a sustainable cyber insurance market requires transparency, regardless of a given issue鈥檚 complexity. The underwriting process demands much from cyber insurance buyers 鈥 including demonstrating resiliency to ever-evolving and sophisticated threats. In return, they expect clarity of coverage, contract certainty, and an understanding of pricing mechanisms in order to make informed decisions about the coverage they are buying and the value derived.

Beginning to address the challenges of the LMA war, cyber war, and cyber operations exclusions

Since听of the Lloyd鈥檚 Market Association鈥檚 (LMA) model war, cyber war, and cyber operations exclusions earlier this year, Marsh has continued discussions with Lloyd鈥檚 syndicates, insurers, the LMA and their legal advisors, and other market participants regarding the concerns we originally raised.

Through our discussions, a number of market participants articulated their intent to adopt one or more of the LMA model exclusions in some form or fashion. One market participant in particular 鈥 Munich Re, a leading re/insurer 鈥 expressed an interest in addressing the concerns we raised via collaboration on a modified version of the LMA 5567.

In the spirit of transparency, we share here a high-level summary of themes explored through our work with Munich Re, including that:

  • The endorsement should not serve as a catastrophic risk catchall.
  • The endorsement should clarify the scope of coverage provided resulting from state backed cyberattacks.
  • The endorsement should bring clarity to what constitutes war, and avoid conflation with the concept of a cyber operation.
  • The introduction of new concepts like 鈥渃yber operations,鈥 鈥渕ajor detrimental impact,鈥 鈥渋mpacted state,鈥 and 鈥渆ssential services鈥 should be as clear and unambiguous as possible in order to avoid or minimize disputes as to the meaning of the wording.
  • The inclusion of references to attribution of cyber operations should not change the legal burden of proof, nor should it alter how the policy responds.听Attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage.
  • The endorsement should clearly delineate between cyberattacks that constitute or are deployed as part of an ongoing war 鈥 and thus are beyond the scope of coverage 鈥 and cyberattacks that are not related to a war and so should not be inadvertently excluded.

We appreciate the flexibility and openness of those who agreed to engage in discussions, including the LMA and their legal advisors, and especially Munich Re for collaborating, listening, and responding to a number of concerns we expressed on behalf of our clients.

The result of our collaboration can be听

Lloyd鈥檚 market bulletin addresses state backed cyberattacks

On August 16, 2022, Lloyd鈥檚 released听, establishing new requirements for syndicates at Lloyd鈥檚 in their handling of war exclusions and state backed cyberattack coverage for class codes CY (cyber liability) and CZ (cyber property damage).

A market bulletin is the formal means of advising Lloyd鈥檚 syndicates to take an action. This particular bulletin establishes a听new听requirement that all policies falling within the above noted codes include a 鈥渟uitable clause鈥 excluding losses arising from any state backed cyberattack in accordance with requirements set out within the bulletin. The clause must be in addition to any war exclusion, which can form part of the same clause or be separate to it.

The new bulletin is effectively (1) a restatement of the existing prohibition on covering war risk and (2) clarification, for the purposes of Lloyd鈥檚 regulations, that syndicates must also account for their exposure to a non-physical, cyber enabled state-on-state attack, which may be as harmful as a physical act of war.

It is important to note that Lloyd鈥檚 does听not听require an absolute exclusion for state backed cyberattacks, irrespective of the scale of the impact. Instead, such attacks must be excluded when they cause a significant impairment to another state (see requirement 2).

Additionally, syndicates may give back coverage for collateral damage in another state that is affected, but not significantly impaired.

Lloyd鈥檚 also requires a 鈥渞obust鈥 method for two parties to agree on attribution, rather than allowing syndicates to effectively say, 鈥渨e will decide.鈥 However, Lloyd鈥檚 confirmed to us that this method need not be set out in the exclusion itself.

While the bulletin references the four recent LMA war and cyber operations clauses from December 2021, it does not mandate the use of those exclusions 鈥 a critical detail that some media reports have omitted.

It is yet to be seen how this new requirement will translate into policy language across the Lloyd鈥檚 marketplace. However, the distinct possibility of such an action by Lloyd鈥檚 and other market participants regarding this requirement is, in part, why we started our work several months ago. For those insurers seeking to introduce cyber operations 鈥 also called state backed/sponsored cyberattacks 鈥 as a factor in war exclusions to meet this new requirement, we encourage reference to the themes noted above, the Munich Re endorsement, and the concerns we raised in our February analysis to evaluate the proposed wording to ensure it does not overreach.

Work continues

Marsh remains engaged and committed to further market dialogue to advance policyholder interests, while continuing to collaborate with insurers and other stakeholders to help pave a path forward as the marketplace addresses the evolving nexus between cyber risk, war, and state backed cyberattacks.

Beyond the primary goal of supporting our clients, we hope that sharing our reasoning and the corresponding work product will contribute to the broader cyber marketplace鈥檚 understanding of a substantive and complex topic that affects all who do or may purchase a cyber insurance product.