Lloyd’s of London’s recent mandate that companies in its vast market stop selling insurance for state-backed cyber attacks will drive some global insurers to restrict coverage in a fast-growing business.
Lloyd’s, the world’s largest insurance marketplace, earlier this month asked all cyber insurers selling through its platform to rewrite their policies, starting March 2023, to indicate that they will stop selling coverage for cyber-attacks that are sponsored by government entities.
The announcement will force Lloyd’s insurers to balance making their products competitive with narrowing cyberattacks coverage. It could also encourage carriers not on Lloyd’s market to exclude coverage for catastrophic cyber-attacks, at a time when the Russian-Ukraine war has heightened insurers’ worries about widespread hacks.
“It’s a big difference for the cyber insurance industry. And it’s going to give buyers pause in terms of using Lloyd’s of London,” said Stephanie Frenier, senior vice president at insurance broker CAC Specialty.
Insurance giants like AIG, Chubb, and Liberty Mutual don’t have to entirely adopt the requirement because their business is widely diversified in product and sales markets. But their insurance arms that sell through Lloyd’s market must obey its rules.
Virtually all major insurers, including Berkshire Hathaway, CNA Financial, Much Re, Fairfax Financial, and Travelers, sell some coverage through Lloyd’s insurance marketplace, according to AM Best, the world’s largest insurance credit agency.
Lloyd’s is telling the big insurers “we don’t have regulatory authority over you. But we have authority over your syndicates here at Lloyd’s,” said Celso De Azevedo, a cyber insurance attorney at Enterprise Chambers.
Lloyd’s is based in London, but plenty of American policyholders buy insurance through US insurers’ that sell on Lloyd’s market as its “syndicates.” More than 40% of Lloyd’s global premiums come from US customers, according to Lloyd’s website.
Cyberattack insurance is in heavy demand among corporate customers. Top 20 US insurers took in over $3.9 billion in cybrersecurity direct premiums in 2021, according to A.M. Best’s data. Standalone cyber premiums jumped 95% in 2021, it said.
State-sponsored cyberattacks often occur in the context of international disputes. And insurance companies have policy contract terms that exclude coverage for risks from wars.
But Lloyd’s new requirement is “tougher” for policyholders than any current war exclusions in the market, Frenier said.
Other market watchers see the change as a way for Lloyd’s to provide clarity in the nascent cyber insurance market, which lacks uniformity in policy terms and exclusions. Cyber insurers have experienced a 300% increase in losses since 2018, according to Fitch Ratings.
A New Jersey court ruled last year that a Chubb unit can’t deny coverage for Merck & Co.’s $1.4 billion losses from NotPetya, a 2017 malware hack that the US has blamed on Russia. (The Kremlin called the accusation “groundless.”) The court held that Chubb’s war exclusion only bars physical warfare, not cyberattacks.
Even though Merck sought coverage from property insurance, the ruling put all insurers, especially cyber carriers, on alert about the clarity of their policy language.
Lloyd’s changes isn’t the first time it has sought to limit coverage for cyber insurance. Last November, it issued a note to its insurers to exclude coverage in four cyberattack-related areas. The change helped to eliminate Lloyd’s-market insurers’ burden to prove a cyberattack is state sponsored before enacting the war exclusion.
Insurers can also establish that a country was involved once the victims’ national government lays blame on another country, even if the accused country denies it, Lloyd’s said.
Those exclusions potentially indicate that “the moment, for instance, that the White House says it was the Russians or other threat actor, that’s it,” said De Azevedo. “It is proved that it was such an actor.”
If the victims’ country takes “an unreasonable length of time” or can’t point to another country, then the insurer can decide whether a cyberattack is state-backed and exclude coverage for such incidents, Lloyd’s said in November.
However, insurers didn’t broadly follow Lloyd’s changed terms on excluding war coverage this year, Frenier said.
Now, Lloyd’s is asking insurers to either obey its November proposals or draft their own state-backed hacking exclusions that meet its requirement.
Lloyd’s new initiative could lead to more litigation given uncertainties, said Andrea DeField, a Hunton Andrews Kurth partner.
Loyd’s changes still leave many questions unanswered, industry watchers say.
The covert nature of cyber incidents makes perpetrators difficult to trace, said Judith Selby, who represents insurers at Kennedys Law.
National governments also rarely openly attribute a hack to another country and “act in a more strategically ambiguous manner” to avoid political pressure to respond, said Peter A. Halprin, a partner at Pasich LLP.
Will Insurers Follow?
Scott Godes, a partner at Barnes Thornburg, said cyber insurers “would be smart to avoid Lloyd’s broader exclusions” if they want to retain and grow corporate customers.
Some US insurers are creating their own exclusions to tackle catastrophic cyber losses, Frenier said.
Beazley recently unveiled war and infrastructure failure exclusion plans to bar coverage for catastrophic events. Additionally, Chubb, the biggest US cyber insurer, proposed a widespread event cyber coverage last November that charges separate premiums on top of a typical cyber policy.
Many cyber carriers may not add those exclusions because they want to grow business, Frenier said. They may take advantage of other insurers’ coverage restrictions to charge higher premiums with their broader coverage, she added.
Still, the insurers with large presence in the US, including Chubb, Fairfax Financial, Tokio Marine, Travelers and Beazley, won’t hesitate to narrow coverage to avoid catastrophic losses, said Sridhar Manyem, director of industry research at AM Best.
“Any directive that’s coming from an organization like Lloyds definitely will cause insurers to examine their own policy wordings,” Manyem said.