Lloyd’s has published Market Bulletin Y5381, in which it is setting out requirements for exclusions in standalone cyber-attack policy wordings from March 2023 for state-backed cyber-attacks. It has said that its insurers will be required to stop covering state-backed cyber-attacks in their standard cyber insurance policies from March 2023 or on renewal of each cyber-attack policy. This may highlight the importance of appropriate cyber cover for all businesses, including insurance brokers.
- Lloyd’s has told its underwriters to make exclusions for cyberattacks launched by governments and state actors, over concerns such attacks could expose the market to unmanageable losses. In the published Market Bulletin, Lloyd’s has said that, if not managed properly, a state-backed cyberattack has the potential to expose the market to systemic risks that syndicates could struggle to manage.
- A large-scale cyber attack launched by a foreign power could expose underwriters to systemic risks, due to the damage such attacks can cause and their ability to spread on a widespread basis. This risk is heightened by the world’s heavy reliance on digital infrastructure as the losses could go far beyond the market’s capacity.
- In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.
- The new policy comes amid warnings the world could see a major uptick in cyberattacks due to the war in Ukraine and an increased threat from Russian hackers.
- Lloyd’s said standalone cyber-attack policies must include clauses excluding liability for losses arising from state-backed hacks unless approved by Lloyd’s.
Why cyber insurance matters
This comes at a time when a large insurance broker has reported in its Report and Accounts (Companies House) that it suffered an attempted cyber attack, which it managed to stop and contain, but which lead the firm to conduct a thorough review of its systems and protections, for which it reported a net cost (after taking into account the insurance coverage assistance) of some £122k (which would have been a cost of £363k without the benefit of their cyber insurance coverage).
This ties in with the FCA’s operational and financial resilience concerns because an analysis of recently published insurance broker RMAR data indicates that a significant number of insurance intermediaries have not got sufficient capital to be able to absorb an unexpected cost of this magnitude (Table 16 in the published data).
Brokers should also consider what and how they advise their own clients in the area of cyber insurance to prevent any misunderstanding and potential complaints and litigation further down the line (as we saw with Business Interruption Insurance during the pandemic). This could be an example of where you can see the Consumer Understanding outcome of the Consumer Duty coming into play.