In a move that has raised concerns among financial institutions, Lloyd’s of London is set to exempt big “state-backed” cyberattacks (attacks that are carried out on behalf of governments) from standard insurance policies, according to the Financial Times and Wall Street Journal.
Bank of America, one of the world’s largest banks, is one of the institutions that has expressed concern about the new rule. The bank believes that the change will leave it and other businesses vulnerable to potentially catastrophic cyberattacks.
As reported by the Wall Street Journal, “as of March 31 [2023], when coverage begins or is renewed, syndicates must exclude state-backed cyberattacks from policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said in a bulletin dated Aug. 16.”
Lloyd’s of London is a centuries-old insurance market that has played a leading role in the development of cyber insurance. In recent years, the market has faced a growing number of claims from businesses that have been victims of cyberattacks.
The new rule is designed to protect Lloyd’s of London from the costs of systemic cyberattacks. These are attacks that are so large and widespread that they could cause widespread disruption to the economy.
The move is in line with most insurance policies across numerous sectors that exclude policy coverage for acts of war. Lloyds and its supporters argue that state-backed cyberattacks are of equivalent kinetic war exclusion.
State-backed cyberattacks are a growing threat
State-backed cyber attacks are a growing threat.
In the mid-2010’s, a number of high-profile state-backed cyber attacks made headlines, including the 2015 attack on Sony Pictures and the 2016 attack on the Democratic National Committee.
More recently, increasing cyber activity out of China state-backed hacking groups and Russian military intelligence have targeted multiple United States government agencies.
Cyber insurance has become a necessity for organizations across the United States as ransomware proliferates and company data becomes held hostage—or sold on the black market.
Excluding state-backed cyberattacks: a flawed insurance policy?
The new rule from Lloyd’s of London raises concerns about the future of cyber insurance. If insurers are unwilling to cover state-backed cyber attacks, it will leave businesses more vulnerable to these attacks. This could have a cascading effect on economic health and could make it more expensive for businesses to operate.
It also assumes that businesses or organizations have the level of confidence and forensic data to properly attribute a cyberattack. While many of the state-sponsored hacking groups target large international businesses such as Uber and Amazon, smaller corporations with less substantial cash reserves will be more vulnerable.
Consultive cybersecurity services for cyber incident response and recovery can cost companies millions of dollars. Frequently, infected infrastructure is so difficult and costly to remediate that many companies simply remove the hardware or virtual infrastructure from their IT stacks and are left to purchase and deploy new systems.
Cybersecurity attribution is an incredibly complex effort, and as more “state-backed” hacking groups emerge and rise in sophistication, the target surface area inevitably increases.
If a state-backed hacking group utilizes a six-year old known Cisco hardware vulnerability for reconnaissance and deploying malware, is it really the equivalent of a war-time attack?
Is it really fair to exclude from a cybersecurity insurance policy?
It seems cybersecurity insurance policies are quickly catching up to the rest of the insurance industry—raising rates, making more exclusions, and leaving policy holders with little alternative.
