At the heart of concerns about insuring war risks is the prospect that no market is capable of absorbing the cost of a significant conflict. That risk must either be borne by businesses/individuals uninsured or by nation states.
In its August 2022 Market Bulletin Y5381 Lloyd's acknowledged that, if not managed properly, cyber business has the potential to expose the market to systemic risks that syndicates would struggle to manage. In particular, the ability of harmful codes to spread and the enormous dependency that society now has on IT means that losses have the potential to significantly exceed what the market can bear.
Rapid advances in technology have led to an exponential increase in electronic acts of aggression by nation states, whether by espionage, sabotage, theft or war, all of which raise significant challenges for the insurance market. It is vital that Insurers keep pace with the complexities that can arise from cyber-attack exposures when addressing issues of coverage.
Lloyd's has indicated that underwriters need to take account of the possibility that state-backed attacks may occur outside of a conventional war involving physical force. In the light of this Lloyd's are requiring all standalone cyber-attack policies to include a clause excluding liability for losses arising from state-backed cyber-attacks in addition to any war exclusions.
There are five minimum requirements for such clauses, which must:
- Exclude losses arising from a war (whether declared or not) where the policy does not have a separate war exclusion.
- Exclude losses arising from state-backed cyber-attacks that significantly impair the ability of a state to function or significantly impair the security capabilities of a state (subject to 3 below).
- Be clear as to whether the cover excludes computer systems that are located outside of any state which is affected.
- Set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states.
- Ensure that all key terms are clearly defined.
Managing agents must be able to show that these exclusions have been legally reviewed. The requirements take effect from 31 March 2023. There is no requirement to endorse existing policies unless the expiry date is more than 12 months from 31 March 2023.
LMA Model exclusion clauses
Lloyd's has previously produced four model exclusion clauses.
Model exclusion clause 1 excludes "any loss, damage, liability, cost or expense…directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation".
The use of "happening through" is interesting, and suggests an intention to widen the 'causation net' beyond damage immediately and directly caused by a cyber operation and potentially brings into play wider arguments about causation. These arguments are likely to be difficult to resolve – identifying what harm "happened through" a cyber operation may be just as difficult as establishing who was responsible for the cyber operation in the first place. In addition, the use of "directly or indirectly" suggests an intention that the exclusion apply broadly, possibly even where there is an intervening cause between the cyber operation and the loss.
The attribution clause is the same in each of the proposed model exclusion clauses. In essence the primary factor is whether the state which is the victim of the cyber operation attributes it to another state or those acting on behalf of another state. In the absence of attribution by the government of the victim state, the model clause provides that the insurer may rely on an objectively reasonable inference as to the attribution of the cyber operation. Where a government takes an unreasonable length of time to attribute a cyber operation, does not attribute it or declares that it is unable to attribute it, it is for the insurer "to prove attribution by reference to such other evidence as is available".
A "cyber operation" is defined as "the use of a computer system … to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state". "War" is defined as "the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection" and/or "military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority".
The latter part of this test seems wide. It ostensibly covers loss or damage caused by the nationalisation of property under the order of a government as well as the destruction of or damage to property under the order of a government irrespective of there being a state of conflict with another government - this is not just a cyber exclusion, by virtue of the reference to "war" or a "cyber operation". Policyholders may argue that, as a matter of construction, the term "war" should be read in the context of the neighbouring term "cyber operation". However, strictly speaking it applies in the alternative to war/property damage that is related to war. The "directly or indirectly" language, and the breadth of the excluded perils means that the clause is broad and increases the chances of insurers being able to successfully rely upon it in circumstances where there is some relationship between war etc and the loss.
The second model is similar but limits the exclusion for cyber operations to (a) cyber operations carried out in the course of war and (b) what are described as retaliatory cyber operations between specified states and (c) a cyber operation that has a major detrimental impact on the functioning of a state or its security or defence. The second model clause also enables the insurer to apply limits to the cover available for damage caused by cyber operations outside of these defined areas.
The third model clause is effectively the same as the second model clause but without the facility to impose such limits.
The fourth model clause is also similar to the second clause save that cover is provided for the direct or indirect effect of a cyber operation on a "bystanding cyber asset". A "bystanding cyber asset" is essentially a computer system used by the insured or its third party service providers that is not physically located in an impacted stated but is affected by a cyber operation. An "impacted state" is defined as "..any state where a cyber operation has had a major detrimental impact on the functioning of the state due to the direct or indirect effect of the cyber operation on the availability, integrity of delivery of an essential service in that state and/or.. the security or defence of that state".
Lloyd's' requirements place a significant onus on insurers providing this type of cyber cover to ensure that they have legally reviewed their wordings and it would therefore plainly be sensible for all such insurers to do so at the earliest opportunity.
Whilst the provision of model exclusion clauses will be of great assistance, in practical terms a number of issues will remain:
- How are cyber incidents to be attributed?
- Even if one is entitled to look at what a state itself says, it is not unheard of for different arms of a state to disagree as to the attribution of an attack or, indeed, for the state's view as to the attribution to change over time.
- There is also a prospect (as has been the case in relation to attributing incidents to terrorism) of states attributing attacks based on their own agendas rather than on the objective evidence.
- In addition, a state will often not attribute a cyber-operation to another state, leaving it instead to the parties to determine whether an attack can be attributed to a state (although, for example, FBI indictments tend to be very thorough). This can be extremely difficult to establish, and even experts can disagree as to the party responsible for a cyber operation.
- In this respect the proposed exclusions are potentially wide in circumstances where the insurer is entitled to rely on "an inference" which is objectively reasonable rather than having to rely on substantive or direct evidence of state involvement. This would appear to set the bar relatively low. Given the losses that may be incurred as a result of a cyber operation, it is quite possible that the issue of attribution will give rise to uncertainty at inception and to disputes afterwards. It seems likely that such disputes will require expert evidence.
- Will the apparent move from perpetrators using bespoke malware to the use of multi-use/commoditised malware make attribution more difficult?
- What challenges will be faced in attributing malware-free attacks?
- Who can give appropriate expert evidence on these matters and/or would wish to do so? It is possible that an expert would be giving away valuable information/tools if they were asked to provide a detailed explanation for their view on attribution (particularly if they were cross examined on it). How will expertise in attribution (where the court needs to consider whether there is sufficient evidence for an inference of an act of war or a cyber operation to be proven) be demonstrated?
- There appears to be no threshold for a cyber operation, meaning that even a potentially minor operation is likely to fall within the definition even though a nation state might not regard it as an act of war. As Marsh have observed in their April 2022 insight, "..every act between nations does not necessarily rise to the level of a hostile or warlike action, or a cyber operation".
- The definition of "state" is simply "sovereign state" (which seems a little circular). There is no indication yet as to what the position will be if, for example, various arms/organs of the state disagree. What would happen if, for example, the UK Foreign Office were to attribute an incident to Iran, the National Cyber Security Centre were to attribute it to North Korea and the Home Office or police to attribute it to China?
- Other terms are also likely to need consideration, including, "significant impairment", "detrimental impact" and "essential services". However, the breadth of these terms may make them effective in excluding losses and avoiding disputes as, typically, exclusions which seek to precisely define exactly when the exclusion will take effect are interpreted more narrowly.
- The "specified states" are China, France, Germany, Japan, Russia, UK and the USA. Interestingly, states with significant cyber capabilities such as North Korea and Israel are not mentioned.
- How can policyholders be reassured about the cover that they are acquiring? Some may feel that these exclusions serve to reduce the cover that was previously available (even though war exclusions would already have been in place in many instances).
- Marsh have queried why there are four model clauses, expressing concern that whilst this offers choice it also suggests a lack of consensus in the market.
All of the above could introduce complications into the claims handling process. However, syndicates have very little option given the fact that Lloyd's has made its position clear. Indeed, given the fact that war exclusions have been around for a long time and modern warfare will increasingly be conducted electronically as well as in person, it could be said that the market in this respect is simply keeping up with developments in the conduct of modern warfare.
It seems unlikely that this is the end of the road. Discussions continue in the market. Marsh have proposed an alternative model clause which limits the exclusion to cyber operations carried out as part of a war, reduces the weight to be attached to attribution by governments (from a primary factor to something that the insurer should have regard to) and alters the requirement regarding the inference from "objectively reasonable" to "reasonable". It also amends the definition of cyber operation to mean the use of a computer system by, "at the direction, or under the control of a sovereign state" and removes the second element of the definition of "war" ("military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority"). Some of these proposals may themselves raise further questions. For example, attribution clauses bring a certain amount of clarity because either state attributes the act to another or it does not. In contrast, whether the use of a computer system is at the direction of a sovereign state may well be a difficult question to resolve factually
Such discussions will no doubt continue and are plainly helpful as both the market and policyholders look to achieve as much clarity and certainty as possible in this complex arena.