By Mikel Pearce
In a recent Market Bulletin dated 16 August 2022 [1], Lloyd’s has set out its requirement that any standalone cyber policy issued by or underwritten by a Lloyd’s Syndicate must contain an exclusion which is sufficient to exclude any losses arising from a “state backed cyber-attack”. This is to be in addition to any “war” exclusion, as the Bulletin notes that state backed attacks can occur both in the context of a conventional war, and outside that context.
The Bulletin sets out minimum standards for the relevant exclusion. The exclusion must do the following:
- Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
- (Subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
- Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
- Set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
- Ensure all key terms are clearly defined.
The Bulletin also requires that the responsible managing agents be able to show that the exclusion has been “legally reviewed having regard to the interests of underwriters”.
The Bulletin refers to four Lloyd’s “model clauses” which were issued by Lloyd’s pursuant to Bulletin LMA21-042-PD dated 25 November 2021[2].
Requirement 4, as set out above, is likely to be a source of dispute and negotiation between brokers, insurers and insureds, both prior to the inception of a policy, and once a claim arises. Even if a given insured has agreed on a “robust basis”, as to how an attack may be attributed to a given state or states, the question of whether the requirements of such an attribution have been met is likely to be a matter of debate and dispute, especially given the nature of threat actors and the inherent difficulty in conclusively identifying them.
The other major issue that this kind of exclusion raises, is a “burden of proof” issue.
Generally, in common law jurisdictions, an insurer bears the burden to prove that an exclusion applies to exclude coverage for a given loss or event. As such, the burden will be on Underwriters to prove that a given cyber-attack was a “state backed cyber-attack”. However, the identification of a threat actor, or cyber attacker, is at best an uncertain enterprise. While there may be indicators in any given matter as to who the threat actor is, based on the ransomware variant in use, or other identifying factors, those indicators are likely to be a long way from providing the requisite degree of proof to uphold the application of an exclusion in Court.
In order to defend and support the application of such an exclusion, insurers are likely to require testimony from forensics firms as to the evidence they relied upon in establishing the identity of the threat actor (assuming the forensics firm was able to do so), along with expert evidence from a recognized and accredited “cyber warfare” expert, as to what kinds of evidence are generally available, whether or not the forensic team had enough evidence to support its conclusion, and whether or not that evidence actually supports the conclusion drawn by the forensics team.
While some well-known cyber threat actors (e.g. Conti) are believed to be state backed, one wonders whether even the available information about Conti would be admissible in Court. Do the voluminous chat records that were dumped onto the internet have the requisite degree of reliability in order to be admitted into evidence, not just as statements that were apparently made, but also for the truth of their content?
If forensics firms are relying on “open source” data in order to attempt to identify a given threat actor, that evidence may be admissible so as to explain the rationale underlying the conclusion reached by the forensics firm, but it may not be admissible for the truth of the statements made and the information contained in it, unless the author can be compelled to testify as to the sources they relied upon in coming to the conclusions reached.
While the Lloyd’s requirement that this exclusion be in all standalone cyber policies does not take effect until 31 March 2023, the one conclusion that we can reach is that the early attempts to apply such an exclusion are likely to be the source of significant litigation activity between insurers and insureds, in multiple jurisdictions.
If you have questions about how to establish the identity and potential status of a threat actor, CyberClan can help through our thorough deep risk analysis investigatory and compliance tools and processes. CyberClan also provides a no nonsense Incident Response Retainer which does not exclude state sponsored or war events giving rise to a network event.
Please reach out to us by completing and submitting the form below.
[1] https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf
[2] https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx