Cybercriminals are waging a constant virtual battle to steal or ransom money and valuable information. Now, insurers are worried about the growing threat that actual war may spill over into cyberspace due to the conflict in Ukraine and rising geopolitical tensions worldwide (source 1). To combat the potential for catastrophic losses arising from cyber war and terrorism, Lloyds and other major insurers are deploying exclusions starting in 2023 for state-sponsored and widespread attacks. These exclusions add more uncertainty for insureds even as cyber policies evolve to address the constantly changing threat landscape. It’s crucial for retail agents and insureds to understand how these new exclusions may affect their cyber coverage and exposures. A wholesale broker with deep expertise in cyber coverage and strong carrier relationships can help guide retailers and their clients through potentially confusing policy choices to build the optimal cyber program.
CYBER WAR AND TERRORISM
Cyber coverage remains among the fastest-growing insurance markets, but carriers still need to protect themselves against catastrophic cyber events that are simply too costly to cover, such as state-sponsored attacks that cause widespread damage. Over the past year, the Russia-Ukraine conflict has reshaped the threat landscape as geopolitics make a stronger impact on cyber operations. Those changes include significant increases in cyber operations connected with physical military actions, cybercrime, and the mobilization of so-called hacktivist groups. Among the trends are zero-day exploits that take advantage of previously unknown security flaws, increasing supply chain attacks, and growth of the hacker-as-a-service business model. Ransomware remains a major threat amid increasingly sophisticated phishing attempts using ‘deep fake’ tools and artificial intelligence. At the same time, denial-of-service attacks are becoming larger and more complex.1 While the cyber insurance market has matured, it remains vulnerable to state-sponsored attacks. The London marketplace has forecast that the cyber market will nearly triple in size to $42.5 billion in 2030 from $14.6 billion in 2022.2 However, economic losses from a global cyberattack could rival that total market value.
Among major cyber incidents, the 2017 NotPetya attack caused an estimated $10 billion in losses. Newer malware could generate even larger losses, considering the Solorigate supply chain attack launched in late 2020 that affected roughly 20,000 companies.3 In early 2021, the Hafnium cyber espionage group used a zero-day exploit to gain access to computer networks around the world through Microsoft Exchange servers, including an estimated 30,000 organizations in the U.S. alone. The UK National Cyber Security Centre has since attributed that attack to Chinese state-based actors. In its 2022 Threat Report, CrowdStrike cites growth in state-backed and criminal attacks from what it classes the Big Four: Iran, China, Russia, and North Korea.2 Iran-based adversaries have been known to use ransomware to lock up networks and leak victim information. China is increasingly targeting internet-facing devices or services, and Russian- based actors have frequently focused on credential harvesting.5
CREATING A CYBER CATASTROPHE MARKET
The potential for catastrophic cyberattacks backed by state actors has spurred insurers to limit their own exposures. Among those, the Lloyd’s Market Association (LMA) has drafted cyber war exclusions to meet London’s requirement that all insurance and reinsurance policies, except in very limited circumstances, exclude losses caused by war.6 In announcing the cyber war exclusions, Lloyd’s noted that while it supports writing cyberattack coverage, cyber remains an evolving risk that if not managed properly could expose the market to systemic risks and generate losses that greatly exceed what the market can absorb.7 Should the threat become large enough that the industry declines to cover state-based attacks, the question arises as to whether it may require a program similar to the Terrorism Risk Insurance Act (TRIA) that created a federal backstop for insurance claims related to terrorism.
Taking the lead from the property catastrophe market, another carrier has announced new endorsements for what it calls widespread or catastrophic cyber events, to differentiate them from more limited attacks.8 Those catastrophic events may include widespread software supply chain exploits, severe zero-day exploits, and severe known vulnerability exploits. Endorsements for ransomware attacks and neglected software vulnerabilities are also available.
Another specialist insurer has also moved to protect itself against catastrophic cyber events, including prolonged outages of major cloud service providers that exceed 72 hours and contagion malware that damages a state’s essential services. Its cyber war and infrastructure exclusions have been revised to include a new sub-limit endorsement for catastrophic cyber risk.9 Other carriers are taking similar approaches, adding sub-limits or co-insurance requirements.
A widespread cloud outage could cause major economic damage. The Bureau of Economic Analysis (BEA) estimates the digital economy accounted for 10.3% of U.S. GDP or $2.4 trillion in 2021 and has been growing at an annual average rate of 6.7% since 2016. The BEA includes IT infrastructure, e-commerce, digital services, and federal non-defense digital services.
LONDON CYBER EXCLUSIONS
The London exclusions vary in strictness and are likely to be included on all new business, but some suggest London is unlikely to mandate a specific version.11 All the exclusions deny coverage in connection with war but take varying approaches to state-sponsored cyber operations and sub-limits. A cyber operation is defined as an attack carried out by or on behalf of one country to disrupt or damage a computer system in another country.
The first LMA exclusion is the most strict, denying coverage for war or state-backed cyber operations. The second specifies cyber operations as those carried out in the course of war; as retaliatory acts between states; or those that have a major detrimental impact on the functioning of a state, its essential services, and security. It also provides sub-limits for other cyber operations. The third version contains the same definitions but does not provide for sub-limits. The fourth does not apply the major detrimental impact language for so-called bystander cyber assets, that is computer systems used by the insured or its third-party service providers that are not physically located in the impacted country.
CALLING A CATASTROPHE
In the event of a state-backed cyber operation, exclusions coming out of London put the burden on the insurer to prove the exclusion applies. One of the biggest uncertainties surrounds who would make the determination if no state claims credit for an attack as insurance carriers don’t necessarily want to rely on governments to make the decision.
The U.S. government has blamed North Korea for a 2014 attack against Sony Pictures, and the UK determined that state-backed Chinese actors were involved in the Hafnium attack. In the absence of such determinations, UK-based managing general agent CFC has called for an independent body to be established to make such determinations. Under this scenario, a committee of independent experts from the cyber security, legal, and technology spheres would declare whether a major loss was a cyber catastrophe.12
At heart, however, the exclusions are meant to clarify insurers’ intent that normal cyber policies are not meant to cover acts of war or terrorism or widespread breaches and outages that cause massive losses. Insurers aren’t offering to cover events that would put them out of business. Given the potential economic damage, insurers would prefer not to be put in a position where such exclusions might apply. From that standpoint, the exclusions may be viewed as a test of market reaction, that is how insureds will respond to the new policy language. Of course, insureds are used to exclusions for catastrophic events on a wide range of policies, such as general liability. Cyber carriers are now seeking to make the same distinction.
TIME WILL TELL
The cyber market is still relatively new, so insurers lack sufficient historical data to accurately quantify the scope of a systemic risk. The new cyber catastrophe exclusions allow insurers to eliminate the worst-case scenario and free up capital that they would otherwise have to hold in reserve. However, until the new exclusions have been tried in the marketplace, it will remain unclear just how strictly insurers will seek to apply them and how they may be interpreted overall. Each claim is unique and will have to stand on its own merit.
While insurers rely on historical data to price risks, brokers and insureds rely on precedence to gauge how claims are likely to be handled and paid. The industry has developed a solid understanding of attacks like ransomware or social engineering, and brokers have a good deal of clarity on how policies respond to those. But, they lack that experience with cyber war and terrorism, or how such attacks will be designated and what policy responses are likely to be.
These exclusions enter as competition is heating up in cyber insurance, particularly in the excess marketplace after a hard market brought rates up from underpriced levels. In addition, insurers have become more comfortable with many cyber risks as many insureds have improved their cyber risk management. Still, cyber defenses always lag behind quickly evolving new threats and it’s very difficult to predict what a zero-day attack may look like.
Insurers want to protect themselves from the growing risk of cyber war and terrorism. State-sponsored attacks may pose a bigger danger to larger insureds with multinational operations, but a severe cloud outage could affect companies across the spectrum. Emerging cyber war exclusions are in effect a test case that insurers aren’t anxious to apply. Still, the changes may result in many coverage nuances between carriers. Brokers and insureds need to understand the exclusions, how they differ from market to market, and how their specific policy will react. For instance, insureds need to be aware of sub-limits for cyber terrorism and how that would affect their coverage. In a world with growing cyber threats, insureds should expect underwriters to scrutinize their cyber defenses as well. In an increasingly complex market, a wholesale broker with deep product knowledge and market awareness can help retail brokers and their clients better navigate the changing cyber coverage landscape.
- Tim Graham is a Broker and member of the ExecPro Practice Group with CRC Group’s Chicago office where he specializes in Cyber, Financial Institutions, Professional, and Management Liability.
- Fitz Swain an Associate Broker with CRC Group’s Los Angeles office is a member of the ExecPro Practice Group and the Cyber/Tech Liability Specialty Group.
- Lori Wheeler, a Broker with CRC Group’s Dallas office specializes in professional liability exposures and is a member of the ExecPro Practice Group.
- ENISA Threat Landscape 2022, November 3, 2022, European Union Agency for Cybersecurity. See: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
- Lloyd’s Cyber Summit, Nov. 1, 2022, See: https://assets.lloyds.com/media/3cb06600-2c30-40d9-9e79-4d9b02670192/Lloyd’s,%20Cyber%20Summit%20Brochure%20-%20Final.pdf
- UK and allies hold Chinese state responsible for pervasive pattern of hacking, July 19, 2021, National Cyber Security Centre, See: https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking
- CrowdStrike’s Annual Threat Report Reveals Uptick around Ransomware and Disruptive Operations, Feb. 15, 2022, CrowdStrike. See: https://www.businesswire.com/news/home/20220215005198/en/CrowdStrike’s-Annual-Threat-Report-Reveals-Uptick-Around-Ransomware-and-Disruptive-Operations-Exposes-Evolution-of-eCrime-Ecosystem
- Cyber War and Cyber Operation Exclusion Clauses, Nov. 25, 2021, Lloyd’s Market Association, See: https://www. lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx
- Market Bulletin, 16 August 2022. Lloyd’s. See: https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf
- Chubb Addresses Growing Cyber Risks with a Flexible and Sustainable Approach, Chubb. See: https://www.chubb.com/content/dam/chubb-sites/chubb-com/us-en/business-insurance/cyber-enterprise-risk-management-cyber- erm/documents/pdf/2021-10.13_v3_17-01-0295_Widespread_Events_Endorsements.pdf
- Addressing catastrophic cyber risks, Oct. 28, 2022, Beazley. See: https://www.beazley.com/en-us/articles/addressing-catastrophic-cyber-risks
- Digital Economy, Nov. 22, 2022, U.S. Bureau of Economic Analysis, See: https://www.bea.gov/data/special-topics/digital-economy
- State-sponsored Cyber Attacks – New Lloyd’s Requirements and What it Means for You, September 7, 2022. Howden, https://www.howdengroup.com/uk-en/State-sponsored%20Cyber%20Attacks%20%E2%80%93%20 Lloyds%20Bulletin
- Howden, https://www.howdengroup.com/uk-en/State-sponsored%20Cyber%20Attacks%20%E2%80%93%20 Lloyds%20Bulletin
- CFC spearheads cyber cat-declaration initiative to tackle systemic risk. Sept. 28, 2022, Insurance Insider. See: https://www.insuranceinsider.com/article/2aoh41qs3atr6x3jpj75s/reinsurers-section/cfc-spearheads-cyber-cat-declaration-initiative-to-tackle-systemic-risk
- Eye-Opening Cybersecurity Insurance Statistics (2023), Network Assured, January 10, 2023. https://networkassured.com/security/cybersecurity-insurance-statistics/
- 14 85% of Organizations Will be “Cloud-first” by 2025, Says Gartner, TechRepublic, November 12, 2021. https://www.techrepublic.com/article/85-of-organizations-will-be-cloud-first-by-2025-says-gartner/
- Cyberattacks 2022: Key Observations And Takeaways, Forbes, October 28, 2022. https://www.forbes.com/sites/forbestechcouncil/2022/10/28/cyberattacks-2022-key-observations-and-takeaways/?sh=28831e33f055