On August 16, Lloyd’s issued one of its regular market bulletins. This one looked just like any other Lloyd’s update to its underwriters – but its content was the private sector’s most explicit statement to date of how much geopolitics is changing globalised business. Lloyd’s announced that it will, as of March 2023, no longer offer stand-alone cyber insurance for state-backed cyber aggression. Geopolitical tensions are entering the globalised economy in full force, not just in Ukraine and Taiwan but around the world.
Cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage,”Tony Chaudhry | Market Bulletin Ref: Y5381
“Cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage,” Lloyd’s Underwriting Director Tony Chaudhry explained in the market bulletin. He was not exaggerating. In recent years insurers have had to cover the havoc caused by state-backed attacks including $10 billion losses incurred by companies hit by Russia’s NotPetya attack. Some insurers argued that NotPetya, having been attributed by Western governments to the Russian government should count as an act of war and thus fall under war exclusion clauses. But in January 2022, New Jersey Superior Court ruled that one of the companies – Merck – did indeed have the right to coverage of its $1.4 billion NotPetya losses under its cyber insurance policy with Ace American because a state-backed cyber attack could not be defined as an act of war.
Indeed, NotPetya and the slew of other recent cyber attacks thought to have been executed or supported by hostile states point to a dramatically changing situation for businesses. Just like Merck, they may now find themselves direct or indirect targets of geopolitically motivated aggression. Sweden decided, in late 2020, not to include Huawei in its 5G network, prompting announcements of retaliation by Chinese officials. The following spring, Sweden-based Ericsson won a mere 2% in China Mobile’s massive contract round, down from 11% in the previous round, and its sales declined in the country even as they increased in the rest of the world. Around the same time, after the Australian government had called for an international investigation into the origins of Covid, China – Australian winemakers’ most important export market -- imposed punitive tariffs reaching 200% on Australian wine. One year later, Australian wine exports to China had slumped by 96%. In late 2021, after the government of Lithuania invited Taiwan to open a representation office in Vilnius, Chinese ports stopped processing all goods featuring Lithuanian components.
Like Ericsson and the Australian winemakers, all the companies affected by geopolitically motivated aggression have sustained enormous harm. But it’s harm of a kind that they could neither predict nor plan for. And devastating though the aggression’s impact has been on each company, it was not war.
All over the world, companies and their insurers are finding themselves in a similar twilight zone. In Taiwan, companies could be cut off from their supply chains and their customers if China behaves in a menacing manner that prompts shipping companies, airlines and their insurers to suspend transportation to the island. And every time the Taipei governments or its allies take a decision that displeases Beijing, the latter may retaliate by harming Taiwanese companies. In August 2022, after US Speaker of the House Nancy Pelosi announced she’d visit Taiwan, Beijing suspended imports of several hundred Taiwanese products. In the weeks leading up to Russia’s invasion of Ukraine on 24 February 2022, Moscow’s menacing moves along Ukraine’s borders and in the Black Sea similarly demonstrated the harm aggression below the threshold of war can cause companies and thus countries’ economy. Many investors and FDI investors were so rattled by the prospect of invasion that they withdrew from the country, while international financial markets’ confidence in Ukraine dipped and the cost of insuring against a sovereign debt default grew. On 15 February, maritime insurers raised the Ukrainian and Russian parts of the Black Sea to their highest risk category, making insurance more expensive and cumbersome to obtain for shipping companies.
Using such aggression, known as grayzone aggression, the aggressor country can use any means at its disposal to harm or weaken another country including its civil society.
In the end Russia, of course, invaded, but the uncertainty just before the invasion highlights how much damage a country can do to another country without using military force. Using such aggression, known as grayzone aggression, the aggressor country can use any means at its disposal to harm or weaken another country including its civil society, and often these means are not illegal. Positioning tens of thousands of soldiers on one’s own side of the border is, for example, perfectly within a country’s right.
Indeed, as NotPetya victims’ insurers discovered, being able to attribute an act of aggression to a hostile state is little consolation since courts and legislation have not kept up with the evolving nature of conflict. “Traditional policy exclusions for war or war-like incidents fail to adequately capture situations where nation states are suspected of being behind an attack, or providing a safe harbour for the hackers, especially if the motives for the attack are unclear. Such issues of attribution and characterization create significant contractual uncertainty for insurers,” the Geneva Association noted in a January 2022 report on cyber aggression.
That leaves companies and insurers in an extremely difficult situation. Because conflict is man-made, it can’t be modelled like natural hazards can. And because grayzone aggression is so innovative and constantly uses new tools, it’s also impossible for insurers to know what to model. At the same time, companies are inherently vulnerable to grayzone aggression. Even if they were to perform the feat of limiting both supply chains and sales to friendly countries, they could be targeted by NotPetya-like cyber attacks.
This raises the question of whether insurers will be able to keep offering the all-round protection that companies have become accustomed to
This raises the question of whether insurers will be able to keep offering the all-round protection that companies have become accustomed to. Lloyd’s exclusion of state-backed cyber aggression is a clear indicator of underwriters concluding that they have to stop short of covering geopolitically motivated aggression, not just because it can result in catastrophic losses but also because of the extreme difficulty modelling it. (I examined the question of whether grayzone aggression is making some business areas uninsurable in a June 2022 report for the American Enterprise Institute.)
Compared to the risks affecting most businesses a decade ago, today’s risks are capricious and growing in number. That, in combination with the fact that insurance coverage may not be available for all circumstances, makes it imperative for businesses to better understand the geopolitical environment in which they’re now operating. Otherwise they may find themselves sudden victims in the manner of Australia’s winemarkers, or Merck, or Ericsson, or the other companies have, through no fault of their own, recently found themselves in the line of geopolitical fire.
All over the world, companies and their insurers are finding themselves in a similar twilight