The rollout of the Lloyd’s cyber war exclusions has received considerable criticism for the chaos and confusion caused in the weeks leading up to the March 31 effective date. But there are some certainties to keep in mind about the new regime.
For example, a compliant cyber war exclusion must be included in policies purchased through Lloyd’s — it’s not voluntary. Also, the most commonly used exclusion (LMA5567A/B) does not exclude state-sponsored cyber attacks unless certain thresholds are met — the most notable of which is that the insured digital assets must be located in a state that has suffered a “major detrimental impact.”
And another important fact is that the LMA’s exclusions can be revised, provided they adhere to Lloyd’s requirements listed in Lloyd’s Market Bulletin Y5381.
This article is the first of a series, with a coming article focusing on thoughts from brokers and insurers about the new Lloyd’s cyber war regime.
Of course, the devil is in the detail — and some market experts say that the legal profession could be a major beneficiary, when and if future disputes arise.
While Lloyd’s executives admit the market has faced and will continue to face some disruption, they support the need for the exclusions. Burkhard Keese, Lloyd’s CFO, admitted the exclusions have received a lot of criticism but are “needed to provide contractual certainty around uninsurable losses.”
“Our stakeholders expect Lloyd’s to provide leadership in these difficult decisions, and I believe we are happy to take and to accept that leadership,” he said during a media briefing in March to discuss the market’s 2022 financial results.
Lloyd’s CEO John Neal admitted that the cyber war exclusion could cost the market some income. (Some market participants have suggested that it will be the U.S. market that benefits from the exclusion, although it remains to be seen how the market will evolve once people get used to the new regime.)
“You’ve got to define what limits you’re giving, what exposure you’ve got. It’s obvious. It may take others a little while to get there, but it’s the right answer,” said Neal during the same briefing.
“We cannot leave ourselves in a similar situation that we found ourselves in, for example, with business interruption claims where we’re debating the cover at the point of loss. So, we’ve made the right decision short term. Do I think that could cost us some income? Yes, I think it could, but cyber is still our fastest growing insurance product anyway,” Neal confirmed.
Keese’s and Neal’s concerns about clear wordings appear to be justified, given the recent decision in the appellate division of New Jersey Superior Court, which upheld a state trial court opinion that the war exclusion in drugmaker Merck & Co.’s all-risk property insurance policy does not apply in the case of the cyber attack the company suffered in 2017. (Notably, this was not a cyber policy.) The court ruled that insurers could not use the policy exclusion to avoid covering about $1.4 billion in damages Merck said it suffered from the NotPetya cyber attack in the spring of 2017.
Nevertheless, there is an agreement that the LMA cyber war exclusions may be a good start for discussions, but further refining probably will be required. While many Lloyd’s syndicates and non-Lloyd’s insurers have adopted the LMA exclusions, other insurers (such as Beazley) are providing their own acceptable adaptations of the exclusions. Brokers, including Marsh (in conjunction with Munich Re) and WTW, also have prepared adaptations in response to consultations with cyber insurance buyers.
Deeply Unhelpful
But the rollout wasn’t an easy one, in part because of communication failures — from the press and even the LMA itself. Lessons have been learned.
Misreporting about the LMA exclusions — specifically that Lloyd’s war exclusions do not cover state-sponsored cyber attacks — has been “deeply unhelpful,” said Andrew Hill, global head of Cyber Coverage & Innovation at WTW, who moderated a panel on the LMA cyber war exclusions at the Zywave Cyber Risk Insights London Conference 2023.
While one of the exclusions does exclude all state-sponsored attacks — that’s LMA5564 and its iterations — Hill said that exclusion is not being used anyway. The most commonly used exclusion is LMA5567, which does not blanket exclude nation-state attacks. “In fact, on the contrary, it covers nation-state cyber attacks unless certain thresholds have been met,” he added.
Hill suggested the manner in which Lloyd’s rolled out its cyber war exclusions had shaken buyers’ confidence in the London market and the communications surrounding the publication of the LMA exclusions could have been handled better. “I’m sure brokers all share experiences of clients having some reticence to buy into the LMA war exclusions.”
For example, Hill noted that, over the past year, clients have had to face the prospect of five, six or seven different war exclusions in one tower of insurance because there is a lack of market consensus on appropriate war exclusions, which has not been helpful. In an emailed interview after the meeting, Hill said the sheer number of war exclusions hitting the market in recent months has naturally led to some confusion among insurance buyers.
“Whilst I’m not necessarily recognizing that there has been tangible damage to the perception of the London market, I can see that there’s been a lot of very unhelpful publicity, and I think that’s based on a misunderstanding of how these clauses actually operate,” said Helga Munger, senior cyber claims manager, Munich Re, who spoke on the panel and also worked on developing the exclusions.
Patrick Davison, underwriting director for the LMA, admitted that the rollout hadn’t gone according to plan. “What we probably didn’t do very well, and with hindsight could have done better, was engage a bit more broadly around some of the principles of what we were doing.”
He recalled that there was a long debate over three years to develop the exclusions and the initial publication in 2021 was met relatively quietly, but with the re-publication of the clauses last year, the volume of debate increased significantly.
“Now, had we had some earlier conversations about principle and intent, would those discussions have been less emotive and more constructive? Quite possibly, I think, is the answer. So, there are some lessons for us as an organization.” Davison said the model clauses are designed to stimulate debate, “and we’ve certainly achieved that.”
The LMA has published four exclusions for “war, cyber war and cyber operation”: LMA5564, LMA5565, LMA5566 and LMA5567. (In January, the LMA issued revised versions — the “A” clauses — with LMA5567A proving to be the most popular. A Munich Re-Marsh exclusion is also available to the market.)
With the benefit of hindsight, Hill asked the Zywave panel if it was possible that a war exclusion spread over a page and a half, which deals with multi-layered issues of war, nation-state attacks and infrastructure issues, was perhaps too ambitious to be “socialized with clients who perhaps don’t have that amount of time to invest in understanding all of those layered issues.”
Munger acknowledged that the first iteration of the LMA5567 clause was complex but has since been revised, with input from Munich Re, Marsh and Aon. “We have a clause which LMA published this year, which is much simpler, much shorter, much more concise and very understandable,” she said. “So, I think we’ve recognized that the complexity of the language was an impediment, but the function of the clause is basically the same. What we are trying to exclude is those catastrophic events that insurance cannot possibly sustainably cover.”
Hill expressed concern that there are signs in the international cyber insurance market of a trans-Atlantic dichotomy. On the one hand, there is the influential U.S. market, which is still hanging its hat on war exclusions based on the NMA464-type exclusion, drafted as far back as 1938 (in the pre-digital era). On the other hand, he said, there is the Lloyd’s market, which together with Munich Re and a few other companies are putting their weight behind the LMA exclusions. (The NMA, or the Lloyd’s Non-Marine Association, is the predecessor of the LMA.)
Munger speculated that some U.S. markets may be hesitant to change until they see the outcome of the Merck case. (The Zywave meeting was held before the recent Merck decision.)
“I would say that the debate that we have sparked is actually beneficial for people, whether or not the clauses themselves are the final answer — but I suspect they’re not,” she said.
Questions Remain
Hill questioned the decision not to define what is meant by “major detrimental impact.” (The trigger for the exclusion would be an attack that has “a major detrimental impact” on a state’s “ability to function.”) He acknowledged that a one-size-fits-all definition applicable to the functions of every nation state would not be without its challenges.
Hill recalled a conversation with a representative of a leading global insurer, which is still using a NMA464-type exclusion and expressed concern that LMA5567 just kicks the issues of interpretation further down the road.
“The argument is that, while the LMA exclusions succeed in clarifying what’s meant by ‘war’ and what’s meant by a ‘nation-state attack,’ we still have this concept of ‘major detrimental impact,’ which would require interpretation in the event of the exclusion’s application,” Hill said.
Davison said the definition of “major detrimental impact” was not included because “the complexity of defining that term would mean that you would probably end up with a list of types of things that would happen, which at the time we felt was not the correct way of proceeding.”
The aim was to give the utmost transparency, Munger said. “So, we’ve given those additional explanations of what war means or what is a cyber operation as a part of war. When it comes to the additional concepts of ‘major detrimental impact to the functioning of the state,’ we do have references that we used for that [which] were discussed right at the beginning in the LMA discussions. And they relate to, for example, the UK critical national infrastructure guidelines, which references just what a high bar that major detrimental impact is.”
Davison emphasized that the LMA is open to suggestions about how to improve the exclusions. “I think our view was that there wasn’t an easier or clearer way of doing it at the current time.”