Lloyd’s are concerned that war exclusions traditionally used in cyber insurance policies do not adequately address the inherent systemic loss risk associated with cyber threats. A single cyber-attack that has a widespread impact across multiple organisations could, Lloyd’s say, affect the insurance market’s ability to pay any covered losses.
Given their resources, Lloyd’s believe that nation states pose the greatest threat in terms of the development of malware capable of causing widespread, systemic destruction. It follows that Lloyd’s requirements have a particular focus on nation state cyber activity, both in the course of war or independently of war.
|War exclusions in cyber policies: the important details
The war exclusion, referred to as LMA5667A, has emerged as the most widely used of the war exclusions that meet Lloyd’s guidelines. This exclusion excludes all losses arising out of war and cyber operations that are part of war. Cyber operations deployed by nation states outside of war may or may not be excluded depending on the specific facts. Only those losses arising from affected computer systems located in countries that meet the criteria for an “Impacted State” are excluded. This approach addresses the systemic loss concerns expressed by Lloyd’s.
While some buyers of cyber insurance have welcomed the greater clarity of LMA5567A (and its variants), others have questioned whether that clarity comes at the expense of cover. Specifically, some buyers argue the absence of clarity in the war exclusions that have been traditionally seen in cyber insurance policies could be used to the policyholder’s advantage in the event of a coverage dispute.
Owing to the complexity of LMA5567A, it is not surprising that misconceptions around the scope of cover have emerged. Perhaps the most notable of misconceptions to have emerged is that Lloyd’s is no longer covering nation state cyber-attacks. This is inaccurate.
‘Traditional’ war exclusions approach the issue of war and nation state cyber activity differently to the Lloyd’s model war clauses. As such, it is invariably an over-simplification to suggest one approach to the war exclusion is ‘better’ for the policyholder than another.
In many cases, for those buyers of cyber insurance who have a strong view on the matter, it can come down to whether they prefer the approach widely used in these ‘traditional’ war exclusion over and above that used in Lloyd’s model war clauses.
In response to some of the issues that have been raised in response to LMA5567A, WTW has developed its own war exclusion. It is largely based on LMA5567A, but introduces several amendments, including a carve back of cover for certain losses arising out cyber operations deployed in conjunction with war.
Given that Lloyd’s insurers are unable to use war exclusions that are non-complaint with Lloyd’s guidelines and many non-Lloyd’s insurers are happy to continue using those ‘non-compliant’ exclusions, it seems unlikely insurers are going to reach a consensus on the matter any time soon. It follows that the prospect of one war exclusion that every insurer is prepared to support is remote at the present time.
A significant proportion of the direct cyber insurance market is reinsured. Should those reinsurers, that have historically given terms that provide for back-to-back cover of the war exclusion in the direct cyber insurance policy, provide terms which are subject to a Lloyd’s-compliant war exclusion, the emergence of a greater consensus on the issue arguably becomes a greater possibility.