Lloyd’s of London To End Insurance For Nation State Cyberattacks

Insurance protections for organisations against cyberattacks is to undergo a major shakeup, after an announcement from the world’s leading underwriter.

Lloyd’s of London in a market bulletin told its insurers they will be required to stop covering nation state-backed cyberattacks in their standard cyber insurance policies.

It comes after many organisations over the years opted (against professional cyber advice), to pay hackers huge sums of money and claim on their cyber insurance policies, after experiencing a ‘cyber security incident’.

Insurance cover

The question remains however is how many organisations actually experience a cyberattack from a hostile nation state or state actors, and not a cyber criminal gang, which are sometimes affiliated to hostile governments.

And the change will mean that the accurate identification of hackers will become even more important going forward.

Lloyd’s of London in its market bulletin noted that “market for coverage against cyber-attack losses has grown rapidly in recent years to become a significant class of business for insurers.”

The insurer warned that a large-scale cyberattack launched by a foreign power could expose underwriters to systemic risks, due to the damage such attacks can cause and their ability to spread on a widespread basis.

It also warned the risk is heightened by the world’s heavy reliance on digital infrastructure as it said the losses could go far beyond the market’s capacity.

“Lloyd’s remains strongly supportive of the writing of cyber-attack cover but recognises also that cyber related business continues to be an evolving risk,” the insurance marketplace said. “If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”

The organisation is now telling its underwriters to make exclusions for cyberattacks launched by governments and state actors.

“In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” it said.

“For this reason, we have consistently emphasised that underwriters need to be clear in their wordings as to the cover they are providing,” it added.

The new policy from Lloyd’s of London comes amid concern the world could see a major increase in cyberattacks amid the ongoing war in Ukraine, plus an increased threat from Russian hackers.

Lloyd’s said standalone cyberattack policies must include clauses excluding liability for losses arising from state-backed hacks, unless approved by Lloyd’s.

It said the new policy will come into effect in March 2023 or on renewal of each cyberattack policy.

State hacks for sale

The change has already drawn a reaction from cybersecurity specialists, incuding Paul Brucciani, cyber security advisor at cyber and privacy specialist WithSecure.

‘Lloyds’s of London exists to make money by underwriting risk,” noted Brucciani. “With profits already under pressure from the worldwide wave of ransomware claims, these have been exacerbated by the losses caused by cyberattacks precipitated by the Russian invasion of Ukraine. Even though Lloyd’s is no longer willing to underwrite losses arising from state-backed attacks, this is easier said than done.”

“Interpol Secretary General Jurgen Stock warned at the World Economic Forum in Davos, Switzerland, in May 2022 that nation-state malware could become a commodity on the dark web soon, making it much harder to distinguish criminal attacks from state-backed attacks,” noted Brucciani.

“Criminal actors could perform reverse engineering of military-made malicious code and use their own versions in attacks ‘in the wild’,” Brucciani added. “Nation-states with access to cyber weapons used in the conflict could also simulate ‘in the wild’ attacks, making the attribution impossible.”

“The cyber insurance market is hardening,” said Brucciani. “Companies seeking cyber insurance should look at it as a source of emergency finance to pay for specialist technical and professional services support.”

“Companies can significantly reduce their cyber security risk by doing the following,” Brucciani advised.

• • • • Make those responsible for managing risk define the cyber risk management strategy
      • Conduct regular, phishing awareness training
      • Mandate multi-factor authentication to access network resources
      • Use only password manager-generated passwords
      • Maintain an inventory of IT assets and patch them regularly, to minimize your attack surface
      • Impede attackers with proactive detection and response controls
      • Rehearse what you would do when a security incident happens.’