The Big Question: Are state-sponsored cyber-attacks now excluded across the Lloyd’s market? With Piers Tuggey, Head of Cyber, Chaucer

There can be little debate that cyber (re)insurance is one of the hottest topics in the market at the moment. Just this week, for example, cyber risk firm Resilience warned that the cyber insurance model is actually “broken”, with more needed to be done to protect businesses across the world. Worryingly, it added that the cost of cybercrime is expected to reach a staggering $10.5 trillion by 2025, outpacing investment in security and insurance by more than five times. Resilience said with only 65% of organisations stating that they plan to increase security spending this year, a new approach to improve cyber resiliency is needed.

From the market’s perspective, of course, it’s not just about improved risk management from insureds. For some years now there has been a growing awareness that terms and conditions needed to be tightened, with a pressing need for greater clarity of policy wordings around war exclusions in particular.

So it has come to pass that the Lloyd’s market has this year introduced a hugely controversial cyber war exclusion clause, which it’s fair to say has generated a fair amount of debate. With this in mind we sat down with one of the market’s leaders, Piers Tuggey, Head of Cyber at Chaucer, to ask this week’s Big Question: Are state-sponsored cyber-attacks now excluded across the Lloyd’s market?

Ian Summers, Global Business Leader, AdvantageGo

“There is clearly a lot of discussion, and a lot of nuance to the language and framework laid out by Lloyd’s, and there is a lot of nuance to the language that has been published by the LMA – around the model clauses and the sort of parameters around which managing agents regulated by Lloyd’s can come to their own conclusions, subject to legal review, about what language is deemed compliant with the bulletin published by Lloyd’s last year,” says Tuggey.

“This is a topic that has been bubbling around in the Lloyd’s market for nearly six years. Primarily as a result of some requests from brokers following Not Petya for more clarity around existing War exclusionary language in cyber contracts. There were a couple of cases that ultimately led to litigation between a couple of insureds and carriers that really fuelled the conversation. The nuance around those particular cases is important in that the disputes related to the response of property insurance policies to a cyber event. Notably, in the cyber market, where insureds had cyber specific policies rather than making a claim against their property policy, there was little or no dispute.”

That discussion, he adds, led to the LMA beginning a piece of work around trying to come up with a form of words, or some clauses, that provided the clarity that was being requested by brokers. The original language that was applied to cyber insurance policies and policies in various other lines of business evolved Lloyd’s response to the events during the Spanish Civil War in the 1930s: essentially an acknowledgement that war represented an existential risk to the balance-sheets of insurers. The weird nexus, he suggests, is that when you introduce the domain of information technology, threat actors, the cyber landscape etc to the context of war, from a doctrinal perspective you have something that is relatively new and hasn’t necessarily been considered closely when it comes to structuring insurance policies and cyber insurance policies specifically, until recently.

“It’s really very complex, as there is no broad-brush, multilateral and internationally accepted definition of war,” he adds. “Different jurisdictions have different views in law, and then there is common law, tort and so on. Also, in the normal lexicon, if you and I talk about war and were asked to define it we’d probably start talking about guns and bullets, massive widespread damage and casualties. We’ve all got an idea in our mind’s eye of what war really is, but when you try to translate that into contract language with a cyber lens, it becomes very complicated.”

“In the context of the discussion that led to the drafting and publication of the LMA model clauses for war there was a general acknowledgment that nation states may choose to conduct cyber operations vicariously and how this might be handled… nation states working in the shadows has always gone on. But where do you draw the line and how do you consider the point at which that sort of behaviour becomes part of war, or equivalent to war, in terms of the damage it could potentially cause? Insurers have a role in providing risk transfer cover for perils, but at what point does that drift out and become an uninsurable risk and the responsibility of government as an insurer of last resort?”

“To answer the specific question, Are state sponsored cyber-attacks now excluded across the market? I would say not necessarily. It is complex, but what is excluded by intent and language, , is war. Some of the model clauses that have been published by the LMA consider a ‘threshold of materiality’. There is language in some of those clauses that speaks to a major detrimental impact to a sovereign state, and there has been lots of discussion about what that means and how you translate that into contract language. Some of the clauses have tried to do that, and there are many elements to it. They say that if it impacts the functioning of a state and/or the security of a state, then that is deemed to be a major detrimental impact.”

What’s interesting, he adds, and some of the considerations that went into the drafting of the language with various parties involved, was along the lines of: do nation states have some kind of framework where they grade events on a scale of severity? How would any given nation state define a detrimental impact to its own functioning?

“So if there is a natural catastrophe that occurs in the US, for example, the US government or the President has the opportunity to determine the event as being of a scale that locks in or triggers various national-level responses. If you think about FEMA, for example. So there is precedent here to defining what a detrimental impact is, but it is different for each state.”