Lloyd’s to end insurance coverage for state cyber attacks

Insurance market Lloyd’s of London has indicated that it will move to require its insurance groups to exclude “catastrophic” nation state cyber attacks from cyber insurance policies from 31 March 2023.

According to the Wall Street Journal, which was first to report the story, the change will supposedly ensure that the scope of cyber insurance policies is made clear to buyers, and is being made because Lloyd’s believes the impact of state-backed attacks is a “systemic risk”.

The newspaper cited a 16 August notice written by underwriting director Tony Chaudhry. Chaudhry said Lloyd’s remained strongly supportive of cyber insurance, but that such policies needed to be appropriately managed given the fast-evolving nature of the threat landscape.

Chaudhry said that in particular, the ability of nation state-backed threat actors to spread their attacks quickly and easily and the critical dependencies that societies now have on digital infrastructure meant that the losses that could arise “have the potential to greatly exceed what the insurance market is able to absorb”.

The move by Lloyd’s reflects a growing trend among cyber insurers to tighten the terms and conditions of their policies. Speaking to Computer Weekly earlier in 2022, Heidi Shey, a principal analyst at Forrester, described a “hardening of the market” that has seen, among other things, insurer AXA France suspend reimbursements for ransomware payments.

In the same article, Simon Gilbert of insurance brokerage Elmore commented: “The major trend we have seen in the past 12 months is a reduction in the limit of indemnity – the maximum amount an insurer will pay under a policy – and the rising cost of cyber insurance due to ransomware losses impacting the cyber insurance portfolio of almost every insurer.”

The changes lend further weight to concerns that organisations are increasingly finding it difficult to procure appropriate cyber insurance coverage, as recent research produced by risk management specialist Huntsman Security showed.

The firm’s CEO, Peter Woollacott, said there were a number of factors in play, including tighter regulatory controls, increasing premiums, increasingly rigorous underwriting, capacity constraints, and coverage limits such as those proposed by Lloyd’s.

He warned that the number of organisations that would not be able to afford cyber insurance, would end up with insufficient coverage, or be refused coverage altogether, could double by the end of 2023.

“With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool,” said Woollacott. “Even those who can still get insurance are paying a prohibitively high cost.”

For these reasons, security leaders need to be clear that cyber insurance is only one of many levers they can pull, and should not be used to replace the controls that should already be in place, said Tom Venables, practice director for application and cyber security at Turnkey Consulting.

“Someone might insure their car, but still obey the speed limit, wear a seatbelt and avoid drinking and driving,” he said. “In other words, despite being insured, they take additional preventative measures to ensure the risk to the car is kept to a minimum.

“Applying this principle to cyber insurance, security professionals need to focus on understanding the risk to the organisation. They need to know the information assets that require protecting, how those assets may be vulnerable, and what controls are required to reduce the risk.

“Databases might all have up-to-date patching, but if one supports a business-critical application, such as controlling a production line, it may be more critical in the event of a ransomware attack.”