On 16 August 2022 Lloyd's issued a market bulletin requiring that, from 31 March 2023, all standalone cyber policies exclude war and non-war state backed cyber-attacks. Lloyd's stated this was required because,
"the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb."
Whilst the requirements set out in the bulletin are relatively narrow, the LMA model clauses that Lloyd's referenced are broader and may exclude incidents that policyholders could assume covered. Companies will need to pay particular attention to the wording of these exclusions, which (if not already in policies) will be applied on renewal as the 31 March 2023 deadline approaches.
The requirement that such risks be excluded is understandable given the systemic risk identified by Lloyds. However, it will be unwelcome to businesses seeking to protect themselves against these growing risks. The world's largest sovereign wealth fund recently told the FT that cyber security, not market volatility, is its biggest concern. Nicolai Tangen, the Chief Executive of Norway's Norges Bank Investment Management, said that the fund is subject to around 100,000 cyber-attacks a year with 1,000 of those it classifies as serious. Mr Tangen said the attempts are increasing and becoming more sophisticated.
There are many recent examples of state backed cyber-attacks. The fund's Deputy Chief Executive, Trond Grande pointed to the 2020 SolarWinds cyber-attack as an example of the sophistication of cyber-attacks. SolarWinds is a US based software provider which, at the time of the attack, had more than 320,000 customers including 499 of the Fortune 500. Hackers inserted malicious code into SolarWinds' software which was uploaded by around 18,000 customers as part of a routine update. The resulting access compromised US government agencies and companies including Microsoft, Deloitte and Intel.
In May 2021, the US and the UK stated that the Russian Foreign Intelligence Service was responsible for the attack. In response, the then director said he would be "flattered" if the service had been responsible for such a sophisticated attack but said he could not "claim the creative achievements of others as his own".
Politico reported on 15 February 2021 on a similar supply chain attack identified by France's cyber security agency ANSSI involving Centreon whose clients included Airbus, EDF, ArcelorMittal and Air France. As with SolarWinds, the hackers were said to be Russian, and allegedly linked to the Russian military agency GRU.
North Korea is also the source of state-sponsored cyber-attacks, often focused on financial gain. In April 2020, the FBI and other US agencies warned that North Korea "has demonstrated a pattern of disruptive and harmful cyber activity" and that it "is increasingly able to generate revenue … by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics." It cited a number of examples of cyber-attacks allegedly attributable to North Korea including the November 2014 attack on Sony Pictures and the WannaCry 2.0 ransomware.
One consequence of the COVID-19 pandemic is that cyber-attacks have increased as hackers seek to exploit system vulnerabilities as businesses moved activities online. The war in Ukraine has also intensified the risk of cyber-attacks in that region. The UK's National Cyber Security Centre (NCSC) warned, just prior to Russia's invasion of Ukraine, that organisations should bolster their cyber defences because "cyber was part of Russia's military doctrine" and "cyber activity against Ukrainian targets had caused spillover effects around the world." The cyber-attack on Viasat in Ukraine on 24 February 2022 provided one such example when that incident disrupted wind farms and internet users in central Europe.
The danger for policyholders is that insurers add broadly worded exclusions that remove cover for any cyber-attacks involving state actors. The Lloyd's bulletin states that losses arising from state backed cyber-attacks that: (a) significantly impair the ability of a state to function; or, (b) significantly impair the security capabilities of a state, should be excluded. Arguably an exclusion along those lines would not catch attacks like SolarWinds and Centreon because, although state backed, they did not significantly impair the functioning or security capabilities of a state. However, the bulletin links to LMA model clauses which Lloyd's say meet its requirements. Some of which are broader than the requirements in the bulletin with the first model clause simply excluding all losses caused by the use of a computer system by a state to disrupt information in a computer system in another state. That would arguably catch losses arising from the cyber-attacks outlined above.
The other requirements include that the exclusion should also state whether cover is excluded for computer systems located outside the affected state and should address how the parties will agree that a cyber attack is attributed to a state.
The latter being particularly important given that it is rare for a state to admit to its involvement in a cyber-attack, as shown by Russia's denial of its involvement in SolarWinds. It is also rare for attribution to be universally accepted, and in some cases attacks can mimic others for example the attacks on TV5Monde that pretended to be the work of a terrorist group, but were linked to the Russian state.
Given that the Security Ratings company Bitsight estimated that the insured losses arising from SolarWinds amounted to USD90,000,000, a broader exclusion could leave businesses with considerable uninsured losses in the event of a future state backed cyber-attack. In light of this, companies wishing to insure against cyber risks should closely review the exclusions and the risks they face. For those that may be impacted by state actors they may need to look for additional cover that does provide cover for state backed cyber-attacks.