Clifford Chance

On 16 August 2022, Lloyd's published Market Bulletin Y5381 regarding new requirements for state backed cyber-attack exclusions in standalone cyber-attack policies.

The bulletin stated that from 31 March 2023, all standalone cyber-attack policies must contain an exclusion excluding liability for losses arising from any state backed cyber-attack, unless otherwise agreed by Lloyd's. This puts cyber policies at Lloyd's potentially at odds with non-Lloyd's policies (although it is notable that Munich Re, one of the largest cyber underwriters, has been supportive of the Lloyd's exclusion).

The exclusion must:

1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
2. (subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state;
3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack;
4. set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states; and
5. ensure all key terms are clearly defined.

Lloyd's has prepared four model clauses which the bulletin states meet the above requirements. However, managing agents are free to decide which clause to adopt as long as it satisfies the above criteria. The model clauses were first published on 25 November 2021 and then revised on 20 January 2023. A link to the latest version of each clause is here. The "B" versions of the clauses do not address attribution and are therefore not compliant with the bulletin.

This change only applies to policies incepted or renewed after 31 March 2023, and there is no requirement to endorse existing, in force policies, unless the expiry date is more than 12 months from 31 March 2023.

In respect of the latter category, any policyholder asked to make an amendment to an in-force policy should consider the terms of its policy carefully and whether it is required to agree to such an amendment. Equally, any insurer should ensure before making such a request that it does so in a manner which is consistent with its duties of good faith and regulatory obligations.

Operation of exclusion

While the four model clauses prepared by Lloyd's have some differences, they all follow the same broad structure. At a high level, the exclusion operates as follows:

• the exclusion will apply to loss arising from "war" or a "cyber operation";
• "war" is defined as an armed conflict involving physical force by one state against another or civil war, rebellion, or similar;
• a "cyber operation" means the use of a computer system by, or at the direction of, a state to disrupt access, destroy information or similar, in a computer system; and
• whether a "cyber operation" can be attributed to a state is determined by the insurer and insured having regard to the "objectively reasonable evidence" that is available to them. This may include formal or informal official attribution by the government of the state in which the affected computer system is physically located.

The Model 2 clause varies the above wording by only applying to loss arising from:

• a war, or a cyber operation carried out as part of a war; and/or
• retaliatory cyber operations between any specified states;
• a cyber operation that causes a state to become an "impacted state", which means where the cyber operation has a major detrimental impact on:
  • the functioning of the state due to the disruption of essential services (such as financial market infrastructure, health services, or utilities); or
  • the security or defence of a state.

Model 2 also provides for specific sub-limits in relation to any other cyber operation that does not fall within the above exclusion.

The Model 3 clause adopts the Model 2 wording but without the sub-limit for other cyber operations. Model 4 mirrors Model 3, but also has a writeback for computer systems affected by the attack that are physically located outside the impacted state.

Key takeaways

The issue most likely to give rise to disputes between insurers and policyholders is attribution. Whether a cyber operation has occurred having regard to the "objectively reasonable evidence" that is available is likely to be hotly contested. What evidence will be sufficient for determining attribution is unclear, and due to the clandestine nature of cyber-attacks, determining whether a state is responsible is rife with difficulties. For example:

• it is often difficult to identify the source of a cyber-attack, and a state may use third parties (e.g., hacker groups) to conduct attacks and obfuscate their origin. For example, the UK and US publicly blamed Russia for the "NotPetya" cyber attack in 2017, which Russia denied;
• even if a state determines that another state is responsible for a cyber-attack, that information may never be publicly released due to political, diplomatic, military or other reasons. To the extent that there is significant insurance cover in place, a state might indeed have regard to this point when deciding what information to release, as its decision could have a significant financial impact on businesses which it might wish to protect;
• a state may attribute a cyber-attack to another state for its own political motivations, rather than according to the available evidence; and
• attribution may be by the "government" of the state in which the affected computer system is located - it is unclear whether this must be the executive or legislative branch of the government or will extend to comments made by the state's intelligence, military, or similar agencies. Further, how conflicting statements made by those bodies are to be resolved is not addressed.

Additionally, what constitutes a "major detrimental impact" is also vague and likely to be another area of disagreement.

The causal language is also broad - in that it excludes not only losses directly caused by the relevant events, but also those indirectly caused. How that applies would depend on particular circumstances, but it has the potential to restrict cover significantly in the event that a trigger event occurred. It is not clear whether the original Lloyd's bulletin requires that such broad language be used.

Having regard to the above, it is debatable whether the model clauses meet the requirement in the bulletin that they "must set out a robust basis" regarding how cyber-attacks are to be attributed and that key terms are clearly defined. This potentially creates confusion for policyholders and (re)insurers alike and increases the risk of disputes. Cyber policy wordings should therefore be carefully reviewed in order to ameliorate these issues in the event of a claim for cyber-attack losses.