Buyers are growing more concerned about moves by insurers to exclude cyberwar protection than the recent spate of cyber coverage litigation, a leading European cyber broker has told Commercial Risk.
Last month, US food-manufacturer Mondelez agreed an out-of-court settlement with Zurich American Insurance, ending its coverage dispute over cyber losses related to the 2017 NotPetya malware attack. The settlement followed a summary judgment in January in favour of US pharmaceutical group Merck in a similar dispute with insurer Chubb. That ruling is being appealed.
The private out-of-court resolution in the Mondelez case was disappointing for those in the market hoping for precedent-setting legal clarity on the issue of cyberwar. Judgments in such coverage litigation are often taken into account by brokers and insurers when drafting policy language.
While the Mondelez and Merck cases were keenly watched, buyers are more interested in developments in the cyber insurance market, which has been busy working on new cyberwar exclusions, according to Jean Bayon de La Tour, head of cyber for Marsh in continental Europe.
“Marsh customers are asking more questions about market-based changes to war exclusions than these particular lawsuits. Unsurprisingly, our clients do not blindly accept when new restrictions/exclusions are imposed by insurers, so we are having many nuanced discussions with clients right now,” he told Commercial Risk.
“The language pertaining to war in cyber policies is evolving in a positive way, at least via Lloyd’s. It is the language pertaining to state-backed or nation-state cyberactivity that is causing significant concern, particularly where it falls short of armed conflict or physical war between two or more sovereign nations,” he said.
Both the Mondelez and Merck coverage disputes centred on war exclusions triggered by insurers to avoid paying cyber losses under a property insurance policy. However, the litigation highlights the broader issue of how insurance responds to cyberwar and nation-state attacks.
Most insurance contracts exclude acts of war but such wordings were not drafted with cyber losses in mind. NotPetya coverage litigation, among other factors, has caused the insurance market to revisit war exclusions for state-sponsored cyberattacks. At the same time, insurers have introduced exclusions for so-called ‘silent cyber’ in P&C policies to clarify whether cover is granted or not after a cyber event.
Coverage litigation following the NotPetya attack accelerated discussions on war exclusions and has resulted in new clauses aimed at removing or restricting cover for nation-state cyberattacks. “Most of the case law has interpreted war in the context of physical war, hence insurers wanted to tackle the issue of non-physical war and the subsequent development of new war clauses,” said Bayon de La Tour.
In December 2021, the Lloyd’s Market Association (LMA) published four new model exclusion clauses for cyberwar and state-attributed cyber operations. The updated, voluntary war risk exclusions were developed for standalone cyber insurance and either exclude all coverage due to war or nation-state activity, or provide exemptions such as sub-limited cover for nation-state activity that falls below a certain threshold.
According to Bayon de La Tour, the LMA clauses have had a mixed reception. Many Lloyd’s insurers are keen to utilise one of the options but others do not find the LMA wordings satisfactory and/or continue to use their own war exclusions, he said.
Acting on behalf of clients, Marsh has also expressed its concerns over the LMA wordings. The broker argued that the new exclusions “may increase uncertainty regarding the scope and performance of policies that employ them, thus jeopardising the assurance that clients may take from any coverage within their cyber insurance programmes”.
In particular, Marsh said the LMA exclusions rely on a number of “ambiguous terms” that currently have either an ambiguous threshold, an unclear meaning or no ordinary interpretation. It also noted that the exclusions introduce the complex term of “cyber operation”, and that the LMA’s proposed criteria for attribution is unclear.
“Recognising that Munich Re and others were in the process of adopting one of the four model clauses, we engaged with Munich Re to address as many of our concerns as possible in an effort to protect and promote our client’s interests,” said Bayon de La Tour. “We have given feedback to Munich Re on the topic of war and cyber operations exclusion, which is a good step in the right direction but does not solve all our worries,” he said.
While the revised clauses should see the insurance market move towards coverage clarity for cyberattacks, Marsh said it will continue to act in the interests of its clients and engage with insurers to help inform their cyber strategies. “Is it perfect? No, but it can never be perfect. While we are not 100% there, we have made extensive efforts to take a good step in the right direction for the benefit of our clients,” said Bayon de La Tour.
There is a general requirement for all Lloyd’s policies to exclude cyberwar losses but the new LMA war exclusions are not mandatory. However, in August, Lloyd’s announced that syndicates will be required to exclude losses in all standalone cyber insurance policies arising from state-sponsored cyberattacks from 31 March next year.
Lloyd’s effectively restated its existing prohibition on covering war risk and clarified that syndicates must also account for their exposure to a non-physical, cyber-enabled state-on-state attack, which may be as harmful as a physical act of war. However, Lloyd’s does not require an absolute exclusion for state-backed cyberattacks, irrespective of the scale of the impact. Instead, such attacks must be excluded when they cause a significant impairment to another state.
There is a growing gap between Lloyd’s and the broader market, according to Bayon de La Tour. “Many insurers – within certain parameters – have expressed their intent to continue to cover an event that is widely attributed to a state actor but is not accompanied by a physical war, through the policy wording construction of a war exclusion with a ‘cyberterrorism’ carve-out,” he said.
Lloyd’s’ mandate has been misinterpreted by some, according to Bayon de La Tour. “I think it has been understood as broader than it is – it only excludes attacks that have a ‘major detrimental impact’ and not all state-sponsored attacks,” he explained.
There is currently no specialist cyberwar risks market, as is the case for aviation and marine, but there is demand for such cover, according to Bayon de La Tour. “We have had discussions with our war colleagues on that front. As of today, the war market is not ready. But there is a gap and when things stabilise, it might create an opportunity. But it is too early now,” he said.