Lloyd’s of London may no longer extend insurance cover to companies affected by acts of war, and new clauses drafted for providers of so-called “cyber” insurance are raising the spectre of organisations caught in tit-for-tat nation state-backed attacks being left high and dry.

The insurer’s “Cyber War and Cyber Operation Exclusion Clauses”, published late last week, include an alarming line suggesting policies should not cover “retaliatory cyber operations between any specified states” or cyber attacks that have “a major detrimental impact on… the functioning of a state.”

“The insurer shall have the burden of proving that this exclusion applies,” warn the exclusion policies published by the Lloyd’s Market Association.

Although the wordings in the four clauses are published as a suggestion for insurers in Lloyd’s-underwritten policies and are not concrete rules, they provide a useful indicator for the direction of travel in the slow-moving cyber insurance world.

The policy clauses also raise the idea of insurance companies attributing cyber attacks to nation states in the absence of governments carrying out attribution for specific incidents, an idea that seems extremely unlikely to survive contact with reality. All four of the clauses, available as PDFs from the bulletin, contain this wording:

Some infosec figures expressed dismay over the new clauses, with Ciaran Martin, former chief of Britain’s National Cyber Security Centre, tweeting:

The document is called “War, cyber war and cyber operations exclusions”. But👇it defines ‘war’ & ‘cyber operations’ but not ‘cyber war’.

Does para 9.2 exclude cover for any state sponsored hacking which happens all the time outside war? If so, that’s huge. Be clear about it 2/4 pic.twitter.com/eI3G35rdhz

— Ciaran Martin (@ciaranmartinoxf) November 28, 2021

Matt Middleton-Leal, EMEA North MD for cloud security firm Qualys, said in a statement that it wasn’t all doom and gloom, though he wasn’t exactly upbeat either.

“Some of the guide policies include protection for ‘bystander attacks’ and some do not,” he said. “Bystander attacks are a risk where a specific nation state attack affects IT systems used by other companies that have the same applications or IT setups in place, and they get hit in the blast radius. While they are not the specific target they may get hit in the same way.”

“Petya in 2017 is a good example of this,” continued Middleton-Leal. “The attack was aimed at Ukrainian companies, but other companies around the world were affected. This new guidance from Lloyd’s is a positive move and one that I think will help – even if state actors do carry out attacks specifically targeting other nation states, the impact on other businesses should not be discounted.”

Cyber intrusions tend to come from nation states’ spy agencies; an insurance policy which refused to pay out if, say, Russia or China broke into a company’s servers to steal customer data would be of very low value in today’s world. All Western businesses targeted by Russia’s SVR spy agency in the SolarWinds hack, for example, would potentially see themselves left with legions of angry end users and no financial safety net to meet lawsuits and beef up their defences.

One could also make a comparison with the Irish health service ransomware attack. Though it wasn’t from a state-sponsored crew (as far as is known at the time of writing), the effects on Ireland’s largely state-owned healthcare sector was disastrous.

British government policy is that cyber insurance can be used to pay off ransomware criminals, though the RUSI defence think tank suggested banning such payments earlier this year. In a research report, RUSI also found that insurers were selling policies with minimal due diligence, leading to (quelle horreur) insurance firms paying out when their clients suffered cyber attacks.

With premiums rising, it’s no surprise that cyber insurance firms are tightening their belts. ®