’It’s quite costly for them,’ says associate

There has been limited use of cyber insurance for sovereign wealth funds and international public finance entities due to the higher risks they are exposed to, according to S&P Global Ratings associate Michelle Keferstein.

Keferstein made the statement after being asked about the impact of Lloyd’s of London’s cyber policy exclusion for state-backed attacks during a cyber risk webinar last week (30 March 2023).

In August 2022, the market said it would require its underwriters to include exclusion clauses for state-backed cyber attacks within standalone cyber policies from 31 March 2023.

A bulletin said it was “requiring that all standalone cyber attack policies falling within risk codes CY and CZ must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state-backed cyber attack”.

Keferstein said the move, which came into force last week, could impact the critical infrastructure and corporate sectors as well as sovereigns “once a cyber attack has been identified as state sponsored”.

“It should be stressed that it’s kind of hard already to calculate the cyber risk and how it’s going to impact an entity and their associated costs in general,” she said.

“What I want to highlight as well is that we’ve seen limited usage of cyber insurance for both sovereigns and international public finance entities in general.

“[This is because] it’s quite costly for them based on the sheer size the insurance would need to cover and the higher risk they’re exposed to.”

Starting to prepare?

Last year (30 June 2022), Lloyd’s explained that recent losses arising from sovereign state cyber attacks, such as incidents that have occurred during the Russia-Ukraine conflict, had led to these types of exposures becoming a “market focus”.

It said that “the damage these attacks can cause and their ability to spread creates a systemic risk to insurers”.

Keferstein highlighted that some entities in the public finance space were self-insuring in response to the threat of cyber attack.

She said: “Some entities in the public finance space created liquidity pools with some peers to build up reserves in case an attack occurs or build up their own reserves to cover for associated costs with a cyber attack.”