Marsh rejects LMA cyberwar exclusions
War exclusions risk “killing” the cyber insurance market even though the war in Ukraine has yet to generate claims for cyber insurers, according to Jean Bayon de La Tour, head of cyber for continental Europe at Marsh, who said the broker is unhappy with Lloyd’s Market Association’s (LMA) recent cyberwar wordings.
Speaking on a DBRS Morningstar webinar, Bayon de La Tour criticised the war exclusion developed by the LMA, noting that the market has so far failed to reach a consensus on how to tackle catastrophic cyber exposures.
The war in Ukraine is “paving the way for further discussion on war exclusions and systemic risk”, according to Bayon de La Tour. In November last year, the LMA published a suite of cyberwar exclusions but these have yet to garner broad support in the market, he explained.
Marsh, for example, has rejected the cyberwar clauses drafted by the Lloyd’s market last year. “The LMA clause, we don’t use it because we don’t agree with it. But we do work on amended versions,” said Bayon de La Tour.
“The war in Ukraine is not helping [the cyber market] have calm discussions on that front. The LMA group has been working for years [on cyberwar clauses] and we tried, on behalf of clients, to give our voice, because we have our concerns on these exclusions. But we had little success with having our voice heard,” said Bayon de La Tour.
Despite widespread concerns that the war in Ukraine could “spill over” into the cyber market, the conflict has not led to a rise in cyber insurance claims, according to the broker. Regulators and governments in the EU and US have warned companies that hackers linked to Russia could launch attacks against western companies and infrastructure in retaliation for western governments’ support for Ukraine.
“Surprisingly, claims activity has not increased [since the war began]”, according to Bayon de La Tour. “When we discuss with IT professionals and clients, we see more cyberattacks and activity but it has not turned into claims. Companies are well prepared and know to expect it. A cyberattack by definition is a surprise. When you know how an enemy operates, you can be better prepared and that may be why they are not successful,” he said.
Broadly, non-physical damage cyber losses related to the war in Ukraine are likely to be covered under existing cyber insurance contracts, depending on war exclusion wordings and local laws, the Marsh broker explained. But property damage in Ukraine caused by a Russian cyberattack would not be covered under a property policy war exclusion, he added.
Attributing cyberattacks to the war between Russia and Ukraine, which would typically be required to trigger a war exclusion, is complex, explained Bayon de La Tour. Excluding the loss would likely require the insurer to demonstrate that the Russian army was behind the attack and it was linked to the conflict in Ukraine.
The issue of how to tackle cyber claims arising from war and terrorism pre-dates the war in Ukraine. The 2017 Not Petya malware attack caused widespread disruption and sparked a number of insurance disputes in which insurers used war clauses in property policies to reject claims. Five years on, and the insurance market has yet to reach consensus on how best to address the problem of catastrophic or systemic cyber events, explained Bayon de La Tour.
“Today, what we see is no consensus among insurers, including at Lloyd’s, on these LMA exclusions. Some of them are willing to use it, so we are engaging with them in order to agree on a case-by-case basis, with each carrier, something that in our view would be acceptable. Some of them are happy with the current [exclusions] they have – so they are used to working with a wide exclusion and are happy to continue to work on that basis,” said Bayon de La Tour.
“Some of them are not happy with any of these and are launching a new group [under the International Underwriting Association). They are launching a new group – including with brokers – in order to work on these clauses. What that shows is there is no consensus,” he said.
The market needs to find a balance between buyers’ demand for cyber cover and contract certainty, while insurers need to protect themselves from catastrophic and systemic losses, explained Bayon de La Tour. “There is a scenario where a cyberattack can be linked to a war that could be catastrophic. It is important to look at the big picture. There is a kind of collateral damage potential, and this needs to be better understood and addressed by the insurance market,” he said.
One of the key concerns around the LMA cyberwar exclusions is attribution. In order to trigger a war exclusion, the carrier must first prove that a cyberattack was carried out or sponsored by a nation state. However, insurers do not have the means to attribute cyberattacks and governments may have political motivations.
“[The LMA clause] opens the floor for insurers to use governments’ verification to justify attribution. Some other insurers – and we are working with them – take a different view, that [unilateral bodies like] the United Nations or NATO would state officially where it comes from. This gives a little more comfort and we are working in that direction,” Bayon de La Tour said.
“Basically, the goal in discussions with insurers is to understand what is too big for the insurance industry – and unfortunately, we need to exclude it – and what is big, but is sustainable in the insurance market,” he said.
In particular, Marsh is concerned that overly broad cyberwar clauses could theoretically enable insurers to reject claims where buyers would normally expect their policies to payout.
“We have to be clear and work on contract certainty, and not put in all these blurry words about attribution. It will kill the market at the end of the day. Clients are asking themselves: Is it worth it, in terms of rate, in terms of coverage? We have to be quite careful on that front,” said Bayon de La Tour.
“Through attribution, we must be careful not to vacuum all of the [cover from the] policy. By definition, malicious cyberattacks are malicious and you do not know who is doing it, as it’s on the internet and done remotely,” he said.
There are alternative ways for insurers to protect themselves from catastrophic losses without resorting to attribution, argued Bayon de La Tour.
First, the industry needs to grow the size of the cyber market and expand into the mid-market to bring diversity for insurers and a more sustainable portfolio.
The cyber market currently is expected to grow from $8bn today to about $28bn in 2028, according to DBRS Morningstar.
The market also needs to address catastrophic losses without resorting to attribution, which could potentially be done by limiting the coverage periods for cyber business interruption, said Bayon de La Tour.
