On Thanksgiving, Lloyd's Market Association (LMA), an advisory group at the core of Lloyd's of London, released model language for cyber insurance policies to exclude cyberwar. It set off a firestorm of concern among technical experts about what this meant for the future of insurance policies, how it might dangerously narrow cyber coverage and why this marked major change in how risk would be handled.
But technical experts are not insurance experts. The impact of Lloyd's model language is important, but not because it is a dramatic change from current policies. It is important because current policies across the insurance industry, unbeknownst to many, use outmoded language.
"In order to understand the Lloyd's announcement, you have to understand the baseline, where we were before these wordings were proposed," said Jon Bateman, a fellow at the Carnegie Endowment for International Peace, who has studied how cyber insurance handles nation-state actors.
Cyberwar defined
Across the board, standard insurance policies exclude coverage for "hostile and warlike actions" – and they have for decades. That's certainly true at Lloyds. "There is a requirement in the Lloyd’s market that all policies exclude war unless specific dispensation is provided by Lloyd’s Corporation," said Patrick Davison, underwriting director at LMA.
What counts as hostile and warlike is determined in no small part by the courts over years and years. That court history does not fully exist for cyber insurance yet, meaning that both insurers and policyholders are waiting on litigation to determine what their existing policies mean.
There are legitimate criticisms of Lloyd's wording say insurance and business experts, and issues that will likely be determined in court for policies that adopt the language. Yet most agree, clarifying cyberwar is a step forward, not a step backward.
Lloyd's Market Association offered four model clauses that could be used in whole or part in insurance policies, offering a range of different coverages for state activity. In the broadest sense, they cover operations carried out during war, states retaliating for other cyber activity, or for cyber operations that impact national or homeland security as a whole. The least restrictive language carves out an exemption for that last clause when the operation is against a system covered by the insurance policy; more restrictive wordings do not.
The burden in the LMA wording is placed on the insurer to prove a state action.
Policies adopting the language will be more descriptive than "hostile and warlike," though that might not necessarily mean more restrictive.
Bateman said insurance companies have often not enforced the hostile and warlike clause and paid cyber insurance claims that concern state actors, a consequence of cyber insurance being a buyers market over the past few years. As the market hardens, that might too.
What policyholders may be confronted with might not be new contractual exclusions in this language but an insurer becoming more likely to exert their contractual ability not to pay. That may remove a major driver of cyber insurance for the largest companies.
"Big companies are more interested in insurance for extreme incidents. They are able to self insure for events like ransomware," said Bateman. "And yet insurers are grappling with, can they measure that amount of risk? Do they have enough capital to cover it?"
On Twitter, founder of the Silverado Policy Institute (and previously, founder of Crowdstrike) Dmitri Alperovich noted that the most costly cyber incidents in history, instances like NotPetya or Wannacry, would fall under the category of retaliation.
For smaller enterprises, additional clarity in coverages could be a boon, said Karen Evans, managing director of the small and mid-sized business cyber resource the Cyber Readiness Institute. She said confusion over policies is often to the detriment of policy holders who may not know what to look for when shopping or what coverage they hold even as they hold it. Insurance will likely be a point of emphasis for CRI in the coming year.
"One of the workstreams that CRI is presenting to our members in our upcoming meeting for 2022 is to really to help navigate the landscape of cyber insurance for small and midsize businesses is about putting together information that's going to help them make informed decision about insurance," she said.
That goes beyond planning for cyber warfare, and includes assurances that enterprises can prove due diligence when applying for claims. But state actors are still an issue. Smaller companies, she said, may not be entirely aware of their role in the supply chain and attractiveness as targets, and may not fully understand their insurance needs.
Overcoming cyber insurance 'doom and gloom'
Rightly or wrongly, the LMA announcement had added to a doom and gloom feeling about insurance spurred by rising rates and declining coverage maximums. That feeling was exacerbated days before the LMA announcement by an Reuters' report that Lloyd's of London had "discouraged its 100-odd syndicate members from taking on cyber business next year."
While changes in rates, coverage and the global posturing of insurance companies are undeniable, the Reuters report did not ring true to Davidson.
"We do not understand Syndicates with a proven track record in writing cyber business to have been discouraged from taking on cyber business," said LMA's Davidson. "Across the board we understand the cyber market in Lloyd’s is anticipated to grow in 2022, although as a market association we do not get involved in underwriting decisions of individual syndicates."
The LMA wording should not be taken as the first domino toward some cyber insurance apocalypse, said Bateman. Yet, in the long run, he said insurance did seem ripe for change.
"It's a puzzle," he said. "On the one hand, everyone wants robust, healthy, competitive cyber insurance. People demand the product because cyber risks are growing, and it's a great new source of revenue and profit for insurance companies. And even governments have an interest in creating this tool to help people manage this growing source of risk.
"Everyone wants this to succeed," Bateman added. "But on the other hand, it's not clear yet that the equations balance out."