Lloyd’s of London, the world’s oldest insurance market, is locked in a fight that will shape the future of the industry’s newest gold mine: selling protection against cyber attacks.
From next month, Lloyd’s will require the dozens of insurers that operate in the market to include exemptions that would prevent policies paying out if a major attack is judged to be “state-backed.”
Exclusions for acts of war have long been a staple of policies ranging from property to motor, shielding insurers from the potentially crippling claims that a physical conflict generates.
But Lloyd’s, a powerhouse in the global industry, believes war exclusions need updating for the internet age, when cyber warfare can be government sponsored even in the absence of conventional conflict. Failure to exclude significant state-backed attacks from policies would leave insurers exposed to “systemic risk”, Lloyd’s said when it first announced the plan last summer.
The move is the most significant attempt yet to overhaul the still embryonic market and comes as companies increasingly identify cyber attacks as one of the biggest threats to their operations. Businesses spend around $10bn a year on policies designed to compensate them for business interruption and other financial losses. Fitch Ratings forecasts the total spend could reach $22.5bn by 2025.
The “proliferation of imprecise cyber war exclusions could hurt the development of a sustainable cyber insurance market, which is in no one’s interest,” warns Simon Ashworth, head of insurance analytics and research at S&P Global Ratings.
The debate unleashed by Lloyd’s has also exposed how contentious the question of cyber insurance has become for the industry. A spate of attacks in recent years that disrupted hospitals, shut down pipelines and targeted government departments alarmed some industry executives and sent prices for cyber insurance soaring.
Opponents of the move to exclude state-backed attacks say it risks putting off companies buying the insurance at all, potentially squandering one of the biggest opportunities for the industry in a generation.
“If the insurance industry doesn’t step up, [cyber] will be one of the biggest missed opportunities with companies self-insuring or government schemes being developed to deal with the challenge,” said Michael Steel, head of Moody’s RMS, a major risk-modelling firm.
Some of the world’s biggest cyber insurers say the Lloyd’s episode has been a bruising one.
“It’s a public relations disaster for the industry,” said Joshua Motta, chief executive at San Francisco-based Coalition, a major cyber insurer that sells some of its policies within Lloyd’s. Though he is adamant that cyber insurers will continue to pay high levels of claims, Motta said the intervention by Lloyd’s “was designed to bring clarity . . . in practice it seems like it has done the opposite”.
The run-up to the deadline has been frantic as insurers seek to make sure their own policy wordings meet Lloyd’s requirements. Some businesses, fearful that the policies will no longer give them adequate cover, have taken their concerns to Lloyd’s leadership directly, according to people familiar with the matter.
“Where we feel the mandate has caused undue pressure is by not allowing enough time for the commercial market to come up with solutions,” said Sarah Stephens, head of international cyber at Marsh, the world’s biggest insurance broker. Insurers feel “handcuffed” by the timing and the requirements, she added.
The ability to produce carefully crafted language has long been a vital skill for insurers, but as they have hurried to bring cyber policies in line with the Lloyd’s directive two key areas of concern have emerged.
The first centres on attributing attacks. Andrew Correll, insurance solutions director of SecurityScorecard, which rates companies on their cyber security defences, predicted confusion in the aftermath of an incident as insurers seek to argue it is state-backed, and victims try to prove the opposite.
“Rarely do countries take responsibility and sometimes threat actor groups don’t have clear affiliation,” he said.
Many attacks fall within what Elizabeth Braw, a senior fellow at the American Enterprise Institute, has dubbed “greyzone aggression”, when one country seeks to weaken another but without declaring war. She cites as an example the 2017 NotPetya attack, attributed by US intelligence to Russia, which disrupted Ukraine’s state infrastructure but spilled over to affect big US and European businesses. Some insurers argued that NotPetya was akin to a “warlike action” and therefore not covered.
The second point of contention is how to define attacks that create “significant impairment to state infrastructure”, a description used by Lloyd’s in its directive to the London market’s insurers.
This is especially difficult, said Marsh’s Stephens, for providers of services such as healthcare and finance, who are worried that any sabotage against them would end up being excluded as an assault on essential state functions. The ambiguity over both this and attribution meant Marsh still could not tell its clients exactly when policy conditions would be triggered, she added.
“Unless there is a very clear definition of war, you are not going to be able to apply the exclusion with any consistency,” said Mike Kessler, head of cyber at US-listed insurer Chubb. The insurer, which also has a Lloyd’s operation, has been in talks with Lloyd’s over whether the wording of its exclusions meet the new requirements.
Insurers that have already adopted Lloyd’s-compliant war exclusions ahead of the deadline say they are feeling the effects on the top line.
“Our new business [in cyber] went down in December last year and into this year because the cyber market has not universally approved cyber wordings yet,” Adrian Cox, chief executive at Lloyd’s insurer Beazley, told the Financial Times at its full-year results in March.
Still, he defended the step as the “right thing to do” to provide transparency, as well as being increasingly demanded by reinsurers, who share losses with primary insurers.
Regulators have also pushed for clarity. The Bank of England in January warned that insurers must assess the consequences if exclusions in cyber policies do not hold up when challenged by customers.
The move by the centuries-old market carries some risks as businesses can choose to buy policies elsewhere, including in rival international markets such as the US, or from UK and European insurers outside of Lloyd’s.
Coalition’s Motta said that the group, which does some business through Lloyd’s, will continue to offer cyber insurance with its existing exclusions on those policies it sells on other markets.
Speaking to the FT last week, Lloyd’s chief executive John Neal stressed “cover can be given” for major state-backed cyber attacks but only through add-on policies that clearly set out the terms and cover, such as is the case for other lines of business such as marine and aviation. But those in the market say there is, as yet, limited appetite among insurers to provide specific war coverage for cyber.
The controversy comes as Lloyd’s last year reported its best underwriting performance since 2015 as a sustained upswing in commercial insurance and reinsurance prices more than made up for big claims from the Ukraine war and Hurricane Ian.
Patrick Tiernan, chief of markets at Lloyd’s, was unrepentant when defending the need for exclusions earlier this month. “If folks in other jurisdictions . . . feel it is a good time to be giving away this cover to gain market share, best of British luck to them,” he told underwriters at a quarterly presentation.
