Infosec industry panic about new cyber insurance model clauses excluding cover for state-back intrusions is wide of the mark, the Lloyd’s Market Association has told The Register.
The LMA, a trade body for Lloyd’s-affiliated insurance syndicates, published a series of model clauses last week that caused some disquiet among cybersecurity industry folk.
Quite a few infosec people reading the four draft clauses worried that they didn’t closely define cyber war – and wording suggesting that insurers wouldn’t pay out for “cyber war” had some wondering if LMA syndicates would automatically refuse any claim based on a state-backed threat actor’s activities.
Looking at the 18,000 orgs affected in the SolarWinds hack a year ago, such a stance would be unhelpful.
With cyber insurance being relied upon by, among many others, the British government as a means of driving up infosec standards across the UK, a market retreat would have difficult political policy implications. Premiums are already climbing steeply.
Happily the answer to the LMA conundrum was much simpler: many people read only the first clause, and even then didn’t have the insurance-specific knowledge to fully understand it. So the LMA said, anyway.
Patrick Davison, the LMA’s underwriting director, told The Register: “When we publish those clauses, we describe them as models, so they’re not published and then everyone immediately uses them. They are published as a kind of benchmark, effectively. So [insurers] are free to change them, ignore them, use them as drafted.”
From the point of view of the insurers, “Going right back to the beginning of this, the Lloyd syndicates operating in the Lloyds market are required to exclude war in all policies… It’s because the potential systemic exposure to the market is too great in the event of there being a war,” said Davison.
The 2020 guidelines outlined here [PDF] make it very clear that “all insurance and reinsurance policies written at Lloyd’s must contain a clause or clauses excluding all losses caused by War and NCBR perils.”
The clauses, Davison told us, are designed to be used in an insurance industry context, and within a long litany of court precedents and other snippets of insurance and contract law. The four of them differ significantly, with the first clause being the most restrictive and the fourth a bit wider in scope – the idea being that insurers pick one clause to insert into a new policy.
“The primary thing that they are designed to do is to bring the approach to war in the cyber market up to speed with what’s going on in the cyber market,” explained Davison. “So for example, it was not uncommon in the cyber market for people to use a clause that was drafted in 1937, which is not, as you can imagine, wholly up to speed with the exposure.”
That exposure has increased dramatically over the past few years, especially with the rise of double-extortion ransomware – the insurance industry has been quietly paying out (with a few high profile exceptions).
Instead of narrowing coverage and leaving the world to sink or swim, the LMA reckons its new clauses will help “articulate the coverage position more clearly in the context of how cyber warfare occurs.”
That in turn depends on a body of old case law about the definition of “war” in insurance policies, case law founded on armed attacks against physical items. The cyber world’s a bit more different than that, in the LMA’s view.
“With clause one, the trigger is set very low,” said Davison when El Reg asked if cybersecurity pros’ fears over the new clauses were justified. “It [will not pay out for] anything that you can prove is state-backed. But the bar [against payouts] on clause four is quite high. Because first you have to prove that it’s state-backed. And second, it has to have a major detrimental impact on the functioning of the state, which if we look at SolarWinds, WannaCry, NotPetya… most events that have happened today would not trigger that solution.”
Insurers will attribute attacks – but quietly
Earlier this year the Royal United Services Institute recommended banning insurance-funded ransomware payments, on the grounds that such payouts merely enrich and encourage ransomware criminals. While the new clauses don’t explicitly say one way or another whether this ought to be done, they do take a surprisingly clear stance on attributing state-backed attacks.
Paragraph 5 of clause 4 says “the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf.”
Would LMA be attributing state-backed attacks off its own back? Surely such a move has geopolitical implications in today’s febrile world?
“We’re just setting out here how we believe the insurance market is going to go about proving that the exclusion applies,” said Davison. “Which, for cyber war, is always going to turn on attribution.”
Insurance companies have the burden of proving an exclusion clause applies, he explained. If the insurer can make that “objectively reasonable” inference then it will privately attribute a particular attack to a nation state – but only in the absence of a governmental declaration that an attack was the fault of some other rogue state.
The LMA was keen to say that it doesn’t want to be misunderstood. Ultimately the conversation is about which draft clause a particular insurer picks, and the other wording in the rest of the insurance policy.
But it certainly seems that cyber insurance is going to become more nuanced – and possibly more muscular, if the attributions occur in practice. ®