Skip to main content
Article

Client alert: Lloyd’s requirements for state backed cyber attack exclusions

By Andrew Hill | September 21, 2022

We explore the impact of recently released minimum requirements with respect to nation state cyber-attack exclusions in standalone cyber policies.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

This article was originally written by our UK colleagues for a UK audience. We have shared this article for informational purposes only as it may be of interest to our global clients. Please speak to your local office contact to further discuss any of the points raised in this article.

A market bulletin was issued by Lloyd’s of London (“Lloyd’s”) on August 16, which outlined its minimum requirements with respect to nation state cyber-attack exclusions. At the same time, Lloyd’s confirmed that those requirements are met by any one of the four model exclusions issued by the London Market Association (“LMA”) in 2021 (LMA21-043-PD) (or any other suitable clause which meets the minimum requirements). While all four of those exclusions commonly exclude losses arising from physical war, only one of those exclusions, the LMA5564, excludes nation state cyber attacks outright. The remaining three exclusions (LMA5565-67) all provide some degree of cover for nation state cyber attacks.

Understandably, the multiple-choice approach adopted by the LMA does not necessarily lend itself to easy articulation of the nuances between each of the exclusions. Crucially, however, the exclusions are different from one another. It is important to clarify to cyber insurance buyers that the LMA war exclusions do not exclude coverage for all nation state cyber attacks.

To date, it would appear that the LMA5567 is emerging as the most widely used of the four exclusions by Lloyd’s insurers as they move towards meeting the requirement set out in the recent market bulletin. In summary, this exclusion does exclude losses arising from physical war but does not exclude state-sponsored cyber attacks unless (1) they are carried out in the course of physical war or (2) they can be categorised against the applicable threshold points in the exclusion as having a major detrimental impact on the essential services or defence of a nation state – and only then, this limb (2) of the exclusion only applies if the insured’s digital assets affected by the attack are physically located in such impacted nation state.

Simplicity and clarity are both laudable qualities, particularly in the context of advising on complex insurance contracts. However, these qualities should not compromise insight and accuracy. Current trends in the cyber marketplace suggest that we are not going to see all cyber insurers supporting one war exclusion any time soon. Therefore, the ability to provide clients with clear, insightful and accurate advice on the nuances between the range of exclusions that have emerged (and, in all likelihood, will continue to emerge) that address war and nation state cyber attacks is crucial.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Author

Executive Director, Product Innovation Lead | Coverage Specialist, Cyber & TMT

Related Capabilities

Contact Us