Lloyd’s sets requirements for state-backed cyber attack exclusions
The state-backed cyber attack exclusion clause must be in addition to any general war exclusion, said Lloyd's
From March 31 next year, all standalone cyber attack policies must exclude liability for losses arising from any state-backed cyber attack
Lloyd’s will require all standalone cyber attack policies to include a clause excluding liability for losses arising from state-backed cyber attacks.
The corporation has set out five minimum prerequisites for cyber attack policies falling within risk codes CY and CZ.
The clause must exclude losses arising from a war (declared or not) where the policy does not have a separate war exclusion and must exclude losses arising from a state-backed cyber attack that impairs a state’s ability to function or its security capabilities.
In addition, the clause must be clear on whether cover excludes IT systems located outside the attacked state and it must establish a clear basis on how the parties will agree if any state backed cyber attack comes from one or more countries.
The state-backed cyber attack exclusion clause must be in addition to any general war exclusion.
Lloyd's acknowledged cyber-related business continues to be an evolving risk, and said that if not managed properly, it could have the potential to expose the market to systemic losses that syndicates would struggle to manage.
"It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state backed cyber-attacks. Robust wordings also provide the parties with clarity of cover, means that risks can be properly priced and reduces the risk of dispute," the corporation said in a market bulletin.
“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s added.
'It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state backed cyber-attacks. Robust wordings also provide the parties with clarity of cover, means that risks can be properly priced and reduces the risk of dispute'
Lloyd's said it recognised many managing agents are already including clauses tailored to exclude attacks from war and non-war state backed cyber-attacks but emphasised that all syndicates writing in this class need to do so to an appropriate standard with robust wordings.
"We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust."
The Lloyd's Market Association has provided a suitable model for clauses addressing state-backed cyber attacks and said it is satisfied any of the four models will meet the requirements set for cyber attack policies.
The new requirement comes into effect from March 31, 2023 at the inception or renewal of each policy.
For the 2023 year of account business-planning process, Lloyd's said it will be discussing with managing agents the clauses that they will be agreeing for use in standalone cyber attack policies.
"Managing agents will be expected to demonstrate that the clauses they will be adopting meet the requirements set out above. Where managing agents wish to diverge from the requirements set out in this guidance, they will need to provide a robust explanation for their approach and receive agreement from Lloyd’s," the bulletin said.