The New LMA War, Cyber War and Cyber Operation Exclusions for Cyber Insurance Policies
By Vincent J. Vitkowsky
On November 25, 2021, the Lloyd’s Market Association released four War, Cyber War and Cyber Operation Exclusions (“Exclusions”). The LMA Cyber Business Panel spent well over two years drafting the Exclusions, which are models for use in standalone cyber insurance policies. Lloyd’s has agreed that they meet the requirement that all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war. The Exclusions address some difficult issues troubling the cyber insurance market for several years, following cyberattacks by nation-states (“states”) and threat actors associated with them. They attempt to reduce uncertainty for both insurers and policyholders.
Five interrelated issues.
- The treatment of collateral damage (borrowing a concept from the traditional Law of Armed Conflict). Some state-sponsored attacks had significant effects on many entities that were not the intended targets.
- How attribution is to be determined, and whether the insurers have an obligation to make payments while attribution is being determined.
- The extent to which attacks by non-state actors associated with a state are excluded.
- The treatment of state and state-sponsored cyberattacks directed at essential services, most notably those disrupting financial institutions and the financial markets infrastructure.
- As in war exclusions in all lines of business, attempting to limit the aggregation risk.
The Exclusions.
The principal innovations in the Exclusions are to introduce the concept of “cyber operation” to insurance, to set processes for determining attribution, to partially clarify the scope of essential service, and to set a structure that de facto mitigates the aggregation risk.
The key concepts and terms are as follows.
War. All four Exclusions contain an identical definition of War, largely based on traditional insurance policy language dating back to the Spanish Civil War. It is “the use of physical force by a state against another state, or as part of a civil war, rebellion, revolution, insurrection, and/or military or usurped power or confiscation or nationalisation or requisition or destruction or damage to property by or under the order of any government or public or local authority, whether war be declared or not.” (Emphasis is added, throughout this note.) In the context of cyber war, this would include a cyberattack with kinetic effects.
Cyber operation. All four Exclusions also have an identical and innovative definition of cyber operation. It is “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”
Attribution. All four Exclusions also contain an identical and innovative provision on “Attribution of a cyber operation to a state.” It provides that the “primary but not exclusive factor” in attribution “shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.” Pending attribution by a state, “the insurer may rely upon an inference which is objectively reasonable as to attribution,” and no loss shall be paid. If the affected state “takes an unreasonable length of time to, or does not, or declares it is unable to attribute the cyber operation to another state or those acting on its behalf,” the insurer, bearing the burden of proof, must “prove attribution by reference to such other evidence as is available.”
Specified States. This term appears in some of the Exclusions. The specified states are China, France, Germany, Japan, Russia, UK or USA.
The four exclusions treat cyber operations differently.
The first Exclusion simply provides a blanket denial of coverage for loss “directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.”
The other three Exclusions deny coverage for loss “directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation that is carried out in the course of war.”
The second Exclusion has additional provisions denying coverage for “retaliatory cyber operations between any specified states; and/or a cyber operation that has a major detrimental impact on the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity, or delivery of an essential service in that state; and/or the security or defense of a state.” Although these are excluded, the policy may grant coverage for “any other cyber operations,” with a separately negotiated limit and aggregate.
Significantly, essential service is defined as “a service that is essential for the maintenance or vital functions of a state including without limitation: financial institutions and associated financial market infrastructure, health services or utility services.”
The third Exclusion is identical to the second, except it does not grant coverage for “any other cyber operations,” i.e., those not carried out in the course of war, retaliatory cyber operations between specified states, or those having a major detrimental impact.
The fourth Exclusion is identical to the third, except it introduces the concept of “impacted state,” defined as “any state where a cyber operation has had a major detrimental impact on the functioning of that state [as defined in the third Exclusion], and/or security or defense of that state.” Moreover, it limits the Exclusion for retaliatory cyber operations to those “leading to two or more specified states becoming impacted states.” It also provides an exception to the Exclusion for loss from a cyber operation that has a major detrimental impact, so the Exclusion “shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset.” That term is defined as “a computer system used by an insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.”
The complete Exclusions can be found here.
A serious attempt to reduce uncertainty.
These Exclusions are not perfect. Nothing is. There is scope for dispute about the terms “an inference which is objectively reasonable,” “reference to such other evidence as is available,” “major detrimental impact,” and “essential service,” among others, as applied to specific facts. But the Exclusions reflect a well-reasoned, serious attempt to reduce some of the uncertainties over the scope of coverage for state and state-sponsored attacks.
Written Dec. 9, 2021 and posted with permission with minor formatting changes. Copyright 2021 by Vincent J. Vitkowsky. All rights reserved.