Lloyd's Sets Out Requirements for State-Backed Cyber-Attack Exclusions

In a recent market bulletin, Lloyd's of London has set out requirements for state-backed cyber-attack exclusions in stand-alone cyber-risk insurance policies.

"In particular, when writing cyber-attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force," the bulletin said. "The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers."

The bulletin said that it's important that Lloyd's has confidence that syndicates are managing their exposures to liabilities arising from war and state-backed cyber attacks. Robust policy wordings also provide the parties to the policy clarity over coverage, allowing risks to be properly priced and reducing the possibility of coverage disputes, according to the bulletin.

"We recognize that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state-backed cyber attacks," the bulletin said. "We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings. We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust."

The bulletin provided several minimum requirements for state-backed cyber-attack exclusions.

• Exclude losses arising from war (whether declared or not), where the policy does not have a separate war exclusion
• Exclude losses arising from state-backed cyber attacks that significantly impair the ability of a state to function or that significantly impair the security capabilities of a state
• Be clear as to whether coverage excludes computer systems that are located outside any state that is affected in the manner outlined in the previous requirement by the state-backed cyber attack
• Set out a robust basis by which the parties agree on how any state-backed cyber attack will be attributed to one or more states
• Ensure all key terms are clearly defined

Given the complexities that could arise in drafting the exclusions, managing agents must demonstrate that they have been legally reviewed, the Lloyd's bulletin said. Managing agents will also be required to demonstrate that the exclusions meet Lloyd's requirements.

"Where managing agents wish to diverge from the requirements set out in this guidance, they will need to provide a robust explanation for their approach and receive agreement from Lloyd's," the bulletin said.