Lloyd’s insurers must exclude state-backed cyber attacks in standalone (or affirmative) cyber policies, according to a Lloyd’s market bulletin issued this week.

The exclusion would include liability for losses arising from both war- and non-war-related state-backed cyber attacks.

“Lloyd’s remains strongly supportive of the writing of cyber attack cover but recognizes also that cyber-related business continues to be an evolving risk,” said the bulletin. “If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”

The bulletin explained “that losses have the potential to greatly exceed what the insurance market is able to absorb.”

In a phased approach starting in 2020, Lloyd’s began to require all policies to specify whether cyber cover is provided by either including affirmative cover (via a standalone cyber policy) or excluding it.

“[W]hen writing cyber attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers,” said the Lloyd’s market bulletin No. Y5381, published on Aug. 16.

Many Lloyd’s managing agents are already including clauses in their policies specifically designed to exclude cyber attack exposure arising both from war and non-war, state-backed cyber attacks, the bulletin affirmed.

“We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings. We consider the complexities that can arise from cyber attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”

At a minimum, the bulletin said, the state-backed cyber attack exclusion must:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. Exclude losses arising from state-backed cyber attacks (subject to 3), which (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) and (b) above, by the state-backed cyber attack.
4. Set out a robust basis by which the parties agree on how any state-backed cyber attack will be attributed to one or more states.
5. Ensure all key terms are clearly defined.

“For the 2023 year of account business planning process, we will be discussing with managing agents the clauses that they will be agreeing for use in standalone cyber attack policies,” said the bulletin.

Managing agents must demonstrate that the clauses they will be adopting meet these requirements, it continued. “Where managing agents wish to diverge from the requirements set out in this guidance, they will need to provide a robust explanation for their approach and receive agreement from Lloyd’s.”

LMA Model Clauses

The Lloyd’s Market Association (LMA) already has produced suitable model clauses that address state-backed cyber attacks, issued as “LMA21-043-PD,” according to the bulletin, which would satisfy the requirements set out in the bulletin.

Managing agents must decide on which clause they wish to adopt, provided they can demonstrate the clause meets the market requirements, unless they receive a dispensation from Lloyd’s.

The new requirements take effect from March 31, 2023, at the inception or on renewal of each policy. There is no requirement to endorse existing, in-force policies, unless the expiration date is more than 12 months from March 31, 2023.

In implementing the requirements set out above, the bulletin reminded managing agents that they also need to have regard to the terms of their reinsurance programs, to ensure they provide appropriate, back-to-back cover.