Attribution, degree of damage and the insured’s ability to bounce back are all challenges that cyber insurers must continue to wrestle with
By Yiannis Kotoulas
Back in summer last year (16 August 2022), the world’s premier insurance marketplace and biggest provider of cyber insurance made a move that shocked some players in the market.
In a bulletin, Lloyd’s of London told its underwriters that, from 31 March 2023 and at the inception or renewal of each policy, they would be required to include exclusion clauses for particularly serious state-backed cyber attacks within standalone cyber policies.
From its perspective, Lloyd’s said that the potential damage resulting from these sort of attacks could lead to a “systemic risk to insurers” and thus should not be covered.
At the time of its announcement, a spokesperson for Lloyd’s told Insurance Times that “cyber remains a key priority area for Lloyd’s”.
They added: “The advisory guidance provided, following a consultation with our market, is to ensure we take on the right kinds of risk as a market, while approaching this complex field with the expertise and diligence it requires.”
Much of the chatter in the market has referred to this policy as a ban on covering state-backed cyber attacks, but this is not strictly true.
Avoiding liability for a potentially systemic risk is a sensible play from the market – the payouts for such a cyber attack could reach catastrophic levels for insurers were entire industries to be attacked at once.
However, it is somewhat of a misnomer to refer to the exclusion policy as one covering state-backed cyber attacks as such.
In its bulletin, Lloyd’s specified that cyber insurers operating in its market must exclude losses “arising from state-backed cyber attacks that either significantly impair the ability of a state to function or that significantly impair the security capabilities of a state”.
The above clarifies that while the mandated exclusion does apply to state-backed attacks, it applies specifically to those state-backed attacks that would cause systemic damage.
Indeed, on 30 June 2022 Lloyd’s published a report entitled Shifting Powers: Physical Cyber Risk in a Changing Geopolitical Landscape, in which it explained that physical damage from cyber attacks – often caused by state actors – presented an “opportunity to develop bespoke insurance products for the industries and businesses most at risk from cyber physical disruption and destruction”.
In an article posted earlier this year (18 April 2023), CFC’s head of cyber strategy James Burns explained: “The Lloyd’s mandate has been consistently misrepresented as a requirement to exclude all nation state [cyber] attacks.
“This is simply not true. Cyber policies will cover nation state attacks as they have always done.”
Burns went on to explain that the exclusion mandate only covers attacks that would lead to systemic failures – “attacks that are so catastrophic in nature that they destroy a nation’s ability to function, the digital equivalent of a nuclear strike”.
Were Lloyd’s to attempt to ban the underwriting of all state-backed attacks, it would run into significant difficulty. One of the major challenges of this would lie in actually identifying where cyber attacks come from in the first place.
And even were that possible, it would be challenging to establish whether a cyber attacker was working for a nation state directly, working with their tacit approval or was entirely unaffiliated.
James Gerber, chief financial officer at cyber security firm SimSpace, told Insurance Times: ”The only people that even stand a remote chance of doing accurate attribution are in our national cyber defence teams – and they’ve got sources and methods to protect.”
This is where Lloyd’s of London’s policy could justifiably be branded as insufficently clear.
While it sets policy exclusions for these sorts of systemic risks where they originate from state-backed threat actors – and while cyber attacks that can cause systemic damage are most likely to come from these state-backed actors – particularly serious cyber attacks no longer necessarily originate from them.
Gerber added: ”As a private company being insured, it really doesn’t matter who [a cyber attack] comes from, what matters is the damage that was done.
”It’s tempting to say that only nation states can do really bad damage – and that if a nation state [is the perpertrator] there’s potential for systemic risk, but that’s just not true anymore.
”Nation state cyber weapons were released out into the public 10 years ago – really nasty stuff. Who knows who it is wielding those weapons now?”
As Gerber noted, discussing attribution and which threat actors are responsible for which cyber attacks is not necessarily the right line of questioning anyway.
“We’re chasing our tails on that question,” he said. ”The real question underwriters should be asking is ’how effective is your company at withstanding a severe cyber attack from any source?’”.
“That’s a healthy version of the question – once the insurance industry starts to ask that and requires [the insured] to deliver quantitative evidence that they can withstand those kinds of attacks from whatever source, then that will be a much more effective approach for the insurance industry to take,” he explained.
This position is a hopeful one that would help to build resilience to cyber attacks into the organisations buying insurance – try as it might, the insurance sector cannot stop cyber attacks from occuring or even reliably identify their origins.
It would be better to focus on controlling the controllables – cyber insurers should assist their insureds in building systems that are effectively able to withstand all forms of cyber attack.
As Gerber explained: “An absence of weakness is actually what an underwriter can properly underwrite.”