A U.S. mid-term election year was the perfect time (excluding a Presidential election year) to quietly issue a “Market Bulletin” announcing that Lloyd’s of London was expanding its coverage exclusions for cyber-attacks. Released on August 16, 2022, Lloyd’s issued this Market Bulletin, which warns that as of March 31, 2023, all Lloyd’s syndicates will exclude coverage for cyber-attacks that originate with state-backed malicious actors through newly issued policy provisions.
For anyone thinking that this seemingly-benign announcement is not a big deal, consider the following analogy for a traditional property hazard insurance policy: Business X purchases property insurance that includes coverage for arson and fire damage. On the date of renewal, the insurance carrier announces that it will not provide insurance coverage “if the fire and/or arson originated from any type of device designed to initiate a fire,” like a match or gas ignition spark inside of an oven.
Lloyd’s announcement is likely a repercussion of the Union County New Jersey Superior Court’s opinion in Merck & Co. v. Ace Am. Ins. Co., Docket No. UNN-L-2682-18, issued on December 6, 2021. Therein, Merck sought insurance coverage from the defendants following a malware infection that resulted in $1.4 Billion in losses to over 40,000 computers across the globe. Although Merck’s insurance provided coverage up to $1.75 Billion in property insurance for “all risks,” which included “destruction or corruption of computer data,” its insurer, Ace American, denied coverage under the Hostile/Warlike Action Exclusion (“War Exclusion”) provision. Ace argued that the “War Exclusion” provision excluded damages caused by hostile or warlike actions, occurring during either peace or times of war, committed by any government, sovereign power, military force, or an agent of a government or authoritarian force.
The malware that plagued Merck’s computer systems was identified as “Notpetya,” a known instrument of the Russian government. The New Jersey court found in favor of coverage, perhaps to protect Merck in a state with a substantial industrial port system, but stating that its reasons rested in a lack of precedent that war or hostile acts included cyber-attacks. The court continued to fault the insurer for not distinguishing between types of cyber-attacks if desiring to exclude nation-based attacks from coverage:
“Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber-attacks. Certainly, they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”'
Aside from Lloyd’s market influence, likely leading other insurers to follow its lead in issuing exclusions for state-backed cyber-attacks, and the effect on already rising insurance rates, the implications of this announcement provide malicious actors with even more leverage against victims.
Like everything else in the world, malware is for sale on the dark web to anyone with a crypto wallet. Additionally, malicious actors can purchase tools or lessons needed to execute denial of service attacks. Malware initially developed by a Russian or Iranian actor (state sponsored or independently created) or often used by state-sponsored actors may be used by anyone/anything else willing to pay for the tool. Therefore, insureds (not the insurers) may encounter the burden of identifying the bad actor(s) as non-state sponsored actors. For example, multiple advanced persistent threats and hacking groups could be using the same nefarious tools like remote access trojans or TrickBot malware.
If during a cyber-attack, the insured receives communication from the bad actors that strongly suggest Russian or Chinese origin, how is the insured motivated to respond? Is the insured now more motivated just pay the ransom knowing that insurance coverage is likely excluded? Or, does the bad actor demand a larger ransomware payment in exchange for a promise to obfuscate its affiliations with any particular nation so that the insured can confidently claim coverage? These are not hypothetical questions.
There is little, to zero, doubt that the Russians, Chinese, Iranians, and North Koreans saw Lloyd’s market bulletin and already know how to leverage the changes to the cyber insurance market in favor of a criminal element. The only advice for entities with coverage, currently renegotiating coverage, or seeking new coverage is to renew their cyber-policies before March 2023 and lock in a policy for as many years as possible. But wait, could that be one of the insurance market’s ulterior goal?