Background

With costly cyber-attacks on the rise, insurance companies are attempting to limit their coverage for cyber incidents by raising premiums, limiting policy coverage, and excluding coverage for certain events. Businesses paid an average of 133 percent more in premiums in December 2021 than the same time a year prior. Meanwhile, the policy limits in Q1 2022 were roughly half of those offered during the 2021 renewal cycle.

Beginning March 31, 2023, Lloyd's would require state-backed cyber exclusion clauses to:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.

2. (subject to 3) Exclude losses arising from state-backed cyber-attacks that

(a) significantly impair the ability of a state to function or

(b) that significantly impair the security capabilities of a state.

3. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyber-attack.

4. Set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states.

5. Ensure all key terms are clearly defined.

The War Exclusion and Cyber Events

Lloyd's bulletin makes clear that these exceptions apply even where there is no underlying physical war, which has been at the center of litigation between cyber insurance providers and their insureds since the 2017 global NotPetya ransomware attack.

Two cases related to the NotPetya ransomware campaign shed light on the war exclusion, cyber-attacks, and the question of whether cyber-attacks can be considered acts of war. NotPetya was attributed to the Russian government by the U.S. and other national governments and is estimated to have cost $10 billion in damages worldwide. Zurich American Insurance denied a $100 million claim for losses arising from the incident to the multinational food company Mondelez under the war exclusion, which excluded coverage for loss arising out of "hostile or warlike actions (…) by any government or sovereign power (…)". That case settled on October 24, 2022, just before the trial ended, but a denial of coverage based on the NotPetya attack was ruled improper in Merck & Co v. Ace American Insurance, holding that the war exclusion did not apply to the NotPetya attack, as a reasonable understanding of the war exclusion would require it to involve the use of armed forces. Lloyd's is aiming to avoid the ambiguity associated with applying the war exclusion to cyber-attacks with this new contract language.

Attribution Determines Coverage

Two key questions are who is responsible for determining attribution, and what coverage does the insurer benefit from until attribution is determined?

In November 2021, Lloyd's provided guidance on how attribution to state actors would be determined in the context of cyber insurance:

(…)

4. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.

5. Pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.

6. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

6.1. takes an unreasonable length of time to, or

6.2. does not, or

6.3. declares it is unable to attribute the cyber operation to another state or those acting on its behalf, it shall be for the Insurer to prove attribution by reference to such other evidence as is available.

Lloyd's is indicating that the insurer is likely to be the arbiter of attribution, even in the absence of a clear government declaration. In addition to the technical challenges of attributing a cyber-attack to a foreign government, national governments may choose not to make public attribution in order to protect intelligence sources and methods, in light of diplomatic or military considerations, or based on domestic politics. State-sponsors of cyber attacks also base their strategy on plausible deniability, and create semi-permeable membranes between criminal and state-directed cyber activities. The Russian Federal Security Service (FSB, formerly known as the KGB) has been known to contract-out traditional espionage activities to criminal hacking groups.

The attribution process takes time, and the first few days after a cyber-attack are critical; organizations are tasked with recovering their systems from the attack and discovering what data and systems may have been affected and how the attack occurred, while also communicating the event to their clients, customers, investors, suppliers, employees and regulators. Legal counsel, breach recovery services, and forensic investigations are critical immediately after a breach is discovered, and their costs may be covered by cyber insurance policies. Unless the exclusion is carefully drafted, organizations could face uncertainty over whether their policy will cover the costs of remediation and third party experts in the early days of an event – and this may be some weeks before attribution (if at all).

Litigation between an insurer and its insured may become a battle of the experts in cases where the insurer itself attributes an attack to a nation-state and denies coverage based on that assessment. Without a mandatory arbitration clause (or other forms of alternative dispute resolution), litigation of this type raises the risks that the types of details that organizations generally want to keep out of the public eye following a cyber-event become public.

With these difficulties comes uncertainty, and with Lloyd's announcement, it would appear that companies will bear a greater share of the risk.

Not Just Insurance Contracts

With geopolitical instability increasing and more cyber-attacks being deployed instead of (or alongside) traditional methods of warfare, companies would be well advised to take a close look at force majeure clauses within critical third party contracts.  It remains common in software, Cloud and managed services agreements, for vendors to casually include "acts of war", "cyber-attacks" and "acts of a foreign government" in their definitions of force majeure.

As we learnt through the Covid-19 pandemic (and the after-effects of the Evergreen's grounding in the Suez), force majeure clauses should never be regarded as boiler plate.  If an entity insists that cyber-attacks are a "force majeure" you may wish to carefully reconsider contracting with them.

Conclusion and Legal Significance

Lloyds's decision to exclude state-backed cyber-attacks from standard cyber insurance policies is likely to be mimicked by other insurance providers. Marsh Insurance initially published a critique of the exclusion requirement shortly after it was published, then softened its stance and suggested its own exclusion language some weeks later. Organizations should pay particular attention to how terms like "cyber operation" are defined, and how attribution will be determined in cases of suspected state-backed cyber-attacks.

These views are the authors' own.

Michael Bahar is a partner at Eversheds Sutherland's Washington, D.C. office. He is the co-lead of the firm's global cybersecurity and privacy practice and is also part of the firm's litigation practice. As former Deputy Legal Advisor to the National Security Council at the White House, former Minority Staff Director and General Counsel for the US House Intelligence Committee, Michael provides advice on cybersecurity and privacy, international law and national security law. While with the House Intelligence Committee, he was lead drafter and negotiator for the Cybersecurity Act of 2015, the USA Freedom Act, which reformed certain key surveillance authorities.

Chris Bloomfield is an Associate in Eversheds Sutherland's Cybersecurity and Privacy practice and counsels clients on a broad range of cybersecurity and data privacy matters, including emerging risks, new products, and a wide variety of compliance and regulatory matters.