Cyberattacks remain a significant threat to businesses – small and large alike. The damages associated with a cyberattack, such as data loss, public exposure of data, theft of intellectual property, and harm to brand reputation, are immediate and can continue for several years.

While cyber insurance is a key risk mitigation and transfer tool utilized by businesses to seek reimbursement for financial losses incurred due to a cyber incident, insurance often has limits. As discussed below, those limits may be expanding in a significant way.

Depending on the language of a cyber insurance policy, there are several expenses and impacts of a cyberattack that can fall outside of coverage. Among those are:

• the direct financial fraud; g., monies the business is duped into sending to the attacker voluntarily or willingly;
• the loss of future sales or market share (unless proven to be directly linked to the original data breach);
• financial damages associated with the loss of intellectual property or other confidential or proprietary information;
• the costs to enhance the business’s cybersecurity protection (g., new technology, controls, or policies) to reduce the risk of future cyberattacks; and
• cyberattacks launched by “state-sponsored” actors.

The last item is worth further discussion and explanation, particularly as cyberattacks are increasingly suspected of being perpetrated by sophisticated actors sponsored by foreign sovereign states.

Many cyber insurance policies include “war exclusions,” which insurers have argued encompass cyberattacks launched by sovereign state-sponsored entities. Such cyberattacks, it is argued, trigger exclusions for war, an act of war, or a nation-state attack. These arguments have already begun playing out in courts across the United States, most notably in connection with the state-sponsored cyberattack in 2017, which involved the launch of malware known as “NotPetya.” The United States government publicly blamed Russian security services for the attack, which caused over $10 billion in losses to businesses worldwide.

In one of the more publicized cases, Merck & Co. v. ACE American Insurance Co., the New Jersey Superior Court ruled, on January 13, 2022, that Merck’s insurers could not rely on the war exclusion because that exclusion was intended to apply to losses resulting from an armed conflict. The Merck & Co. decision is currently on appeal. Still, as discussed in a February 8, 2023 article in the Wall Street Journal, its impact has reverberated among the insurance community as everyone awaits the Appellate Court’s ruling.

The insurance industry has been quick to respond and adjust. Even before the decision in Merck & Co., Lloyd’s of London released, on November 25, 2021, four new cyber war and cyber operation exclusion clauses that deny coverage for losses resulting from nation-state-sponsored cyberattacks. Following the decision in Merck & Co., Lloyd’s took it a step further by issuing a market bulletin on August 16, 2022, that addresses losses arising from cyberattacks “sponsored by sovereign states” that may occur outside the traditional wartime context. In the market bulletin, Lloyd’s of London explains:

The market for coverage against cyber-attack losses has grown rapidly in recent years to become a significant class of business for insurers. … Lloyd’s remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly, it has the potential to expose the market to systemic risks that syndicates could struggle to manage. In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.

The market bulletin continues by advising that “when writing cyber-attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force.” It further explains that the goal of the market bulletin is to ensure that “all syndicates writing in this class are doing so at an appropriate standard, with robust wordings.” The market bulletin thus states:

We are therefore requiring that all standalone cyber-attack policies … must include … a suitable clause excluding liability for losses arising from any state-backed cyber-attack. … This clause must be in addition to any war exclusion. … At a minimum, the state-backed cyber-attack exclusion must: (1) exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion; (2) exclude losses arising from state-backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state; (3) be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyber-attack; (4) set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states; and (5) ensure all key terms are clearly defined.

In short, the market bulletin mandates that new exclusions be added to all stand-alone cyberattack policies issued by Lloyd’s of London insurers and implemented for all other policies covering cyberattacks, including at renewals, beginning March 31, 2023.

While the Lloyd’s of London market guidance does not apply to insurers domiciled in the United States, they bear significant weight and may prompt similar actions from domestic insurers in the near term. Indeed, while it remains to be seen the extent to which other insurance providers will mimic Lloyds’s decision to exclude state-backed cyber-attacks from standard cyber insurance policies, there are already hints that they will likely follow suit.

What does this mean for businesses? You should carefully review your cyber, property, and other insurance policies with your broker for cyberattack coverage. In particular, the focus should be on wartime, act-of-war, and similarly added exclusions that might limit coverage for state-sponsored cyberattacks.

If you are facing issues related to what I have discussed, our experienced coverage counsel can help with claims and coverage analyses; please feel free to contact us for a consultation.