What To Expect From The Lloyd's Mandate To Exclude State-Sponsored Cyberattacks

On August 16, 2022, Lloyd’s issued a market bulletin (opens a new window) stating that — as of March 31, 2023 — Lloyd’s insurers will be required to exclude losses in all standalone cyber insurance policies arising from state-sponsored cyberattacks. Lloyd’s cited concerns about systemic risk, the ease with which a widespread cyberattack can be launched, and the resulting losses stemming from global society’s dependence on IT infrastructure.

To comply with the new Lloyd’s mandate cyber policies that fall within risk codes CY and CZ must:

  1. Exclude losses arising from a war (whether declared or not), if the policy does not have a separate war exclusion.

  2. Exclude (subject to item 3 below) losses arising from state-backed cyberattacks that significantly impair either the ability of a state to function or the security capabilities of a state.

  3. Be clear about whether the policy excludes computer systems located outside any state affected in the manner outlined in item 2 above by the state-backed cyberattack.

  4. Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.

  5. Ensure all key terms are clearly defined.

The bulletin notes that the model war exclusions (opens a new window) released in November 2021 meet these requirements. Use of those exclusions, however, is not mandatory.

Insurers at Lloyd’s are still determining how to react. Prior to the bulletin being issued, some insurers had begun using one or more of the model war exclusions. Others have been using modified versions or continue to use more traditional war exclusions.

Going forward, Lockton believes the manner in which insurers comply with the exclusion mandate is likely to be dictated in part by the views of their reinsurers. The model exclusions are very different from traditional war exclusions in cyber policies: For example, the exclusion language extends to losses arising from state-backed cyberattacks that take place outside the context of a war.

The wordings are entirely new and are not an evolution of current exclusions. The intent behind them is to provide greater certainty about the circumstances under which they will apply.

As with any new policy wording, the exclusions will answer some questions while raising others. It remains to be seen whether reinsurers will drive use of the model exclusions or allow some flexibility on exclusion wording.

Lockton is aware of concerns that the Lloyd’s bulletin — and the exclusion mandate it contains — may cause organizations insured at Lloyd’s to lose coverage they have now. We do not think this is likely to occur.

Attacks arising from a war are already excluded by existing war exclusions in most cyber insurance policies. The new model exclusions published by the Lloyd’s Market Association attempt to clarify what a war is, but the scope of the new definition is not radically different than what is in most current policies.

Broadly speaking, cyber policies will continue to contemplate cover for state-sponsored cyberattacks. Coverage will not be excluded unless the attack “significantly impairs” the ability of a nation to function, or its security capabilities and also happens to affect the insured. Such an attack could trigger some current war exclusions.

Fortunately, if such attacks continue to be extremely rare, exclusions created to comply with the new Lloyd’s mandate should in fact create minimal change to how most policies currently respond.

For more information about war exclusions in cyber policies, review our recent white paper (opens a new window). If you have any questions, please contact your Lockton adviser or contact us at cyber@lockton.com (opens a new window).