select
This is a tooltip for the edit command button

STATE ACTING? LLOYD'S TAKES ACTION ON CYBER

The cyber insurance market in the United States continues to grow, with “U.S. domiciled insurers writing cyber coverage reported $2.75 billion in direct written premium in 2020. Direct earned premiums reported were $2.43 billion. Direct written premiums for the 2020 data year increased by 21.7% from the 2019 data year.”[1] In recent months, Lloyd’s of London[2] has taken action to address the growing exposure that cyber presents to the Lloyd’s market and to cyber insurers.  This includes the recent issuance of a recent market bulletin that excludes state actors from coverage.[3]

In a skit that Jon Lovitz did on Saturday Night Live when he was a regular, “Master Thespian,” he would conclude by stating, “I was only acting!”[4]  Like the Master Thespian, whether someone was only “state acting” will be a subject that regulators and courts will resolve for many years to come.

This paper addresses the actions taken by Lloyd’s in the cyber market in the last few years, including the most recent August action that requires exclusion of cyber attacks by those that are state actors.

Defining State Actor

It is often hard to attribute action of hackers to a sovereign state.  The Lloyd’s Market Association exclusions, which are discussed in the next section, have language that attempts to clarify attribution. Each of the four clauses released in November 2021 include the following language (emphasis in original):

Pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.[5]

Sounds straight forward and if the state itself is the actor, it may be an easily denied claim. However, when it comes to the “nation state actor,”[6] the challenge is more pronounced.  A nation state actor often is anonymous and while perhaps acting on behalf of a sovereign state:

Nation-State Actors operate covertly and almost never acknowledge ownership of their actions, unlike our other Suspects, for whom claiming credit can be part of the reward for their labours. Nation-State Actors will go extreme lengths to cover their tracks, and to make it as difficult as possible for cyber security experts to trace their campaigns back to their country of origin – often planting ‘false flags’ to mislead attribution efforts.[7]

State-sponsored attacks are a big fear of technology executives.[8] 

Recent Lloyd’s Developments 

The Lloyd’s cyber market “has 77 cyber risk insurers under its wing for which it sets the rules.[9]  The latest action by Lloyd’s follows a number of previous actions in the cyberinsurnace market. 

Lloyd’s Requirement for Clarity on Cyber Coverage

On the Fourth of July 2019, Lloyd’s issued a bulletin to the market regarding clarity around whether cyber events were covered by all policies.[10]  The bulletin provided in part that, for all policies issued on and after 1 January 2020, “Lloyd’s is mandating that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.”[11]  The property and liability policies had different phase-in plans pursuant to the bulletin.

Lloyd’s Market Association Exclusions

In addition, the Lloyd’s Market Association[12], which represents its “members' interests to organisations including governments, regulators, and the market's central supporting body, the Corporation of Lloyd's,” drafted four exclusion clauses to address cyber war and cyber operations in November 2021.[13] The four clauses are:

LMA5564 - War, Cyber War and Cyber Operation Exclusion No. 1

LMA5565 – War, Cyber War and Limited Cyber Operation Exclusion No. 2

LMA5566 - War, Cyber War and Limited Cyber Operations Exclusion No. 3

LMA5567 - War, Cyber War and Limited Cyber Operation Exclusion No. 4

The LMA stated with respect to the four clauses:

“In discussion with Lloyd’s it has been agreed that, in respect of standalone cyber insurance policies, these clauses meet the requirements set out in the Performance Management - Supplemental Requirements & Guidance (July 2020) which state that all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war.”[14]

The justification for this action by Lloyd’s and the LMA is that without such clauses and limitations, the premiums for cyber insurance will continue to increase exponentially, given how some courts are addressing current wording and interpreting war exclusions.

One critique of these four LMA clauses or exclusions is that they define “war” and “cyber operation” but not “cyber war,” and so courts and insurers will have to continue to resolve the meaning of cyber war.[15]

To date, ISO has no specific cyber war exclusion. 

Is the war exclusion when it comes to cyber a bit “Mercky?”

Whether the war and cyber war exclusions will be successful is open to question. In a case that garnered much attention, Merck and International Indemnity v ACE, et al.[16], the Superior Court of New Jersey rejected attempts made by the defendant insurer attempting to exclude coverage under an all-risks policy held by the German pharmaceutical giant, Merck, for losses caused by the NotPetya malware exceeding $1.4 billion. The defendant asserted that NotPetya was an instrument of the Russian Federation and was deployed as part of a broader offensive campaign against Ukraine in 2017. Ace cited to a war exclusion clause to avoid coverage. The war exclusion provided that there was no coverage for war or hostile acts.  The New Jersey court rejected the argument, finding in part:

“The court starts by giving the words in the exclusion their ‘ordinary meaning’. The exclusion cites to ‘hostile or warlike action’.  As Plaintiffs correctly noted, warlike can only be interpreted as ‘like war’, citing to the Oxford English Dictionary.”[17]

The court went on to agree the exclusion had never been applied to similar facts by any court, writing: “As Plaintiff correctly notes in its’ brief, no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.  The evidence suggests that the language used in these policies has been virtually the same for many years.”[18] The court concluded that "Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare" and not to cyber-attacks.[19]

In finding for Merck, the court also looked at the U.S. Court of Appeals for the Second Circuit's 1922 holding in Queens Insurance Co. v. Globe & Rutgers Fire Insurance Co.[20]  The Queens court held:

“In order to impose liability under the war risk clause policy, all forms of hostilities or warlike operations of whatever kind must consist of some form or kind of hostility or warlike operations which have proximately caused the loss. Remote consequences of hostilities cannot become a recoverable loss.”

According to at least one report, Merck received payment from Ace for the claim.[21]

With the rather new LMA clauses, time will tell if the language suffices. 

The Latest Action From Lloyd’s

In August, Lloyd’s issued its latest bulletin concerning cyber insurance, Ref: Y5381.[22] It addressed state-backed cyber attacks and provided instructions to Lloyd’s underwriters and MGAs:

We are therefore requiring that all standalone cyber-attack policies falling within risk codes CY and CZ must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack in accordance with the requirements set out below. This clause must be in addition to any war exclusion (which can form part of the same clause or be separate to it). At a minimum, the state backed cyber-attack exclusion must:

  1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
  1. (subject to 3) exclude losses arising from state backed cyber-attacks that
    (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
  1. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
  1. set out a robust basis by which the parties agree on how any state backed cyber-attack will be attributed to one or more states.
  2. ensure all key terms are clearly defined.[23]

The key for regulators to consider and courts as well will be to determine what is “state backed.”  Identifying state actors in cyber attacks is not always readily apparent, as many hackers are working undercover and anonymously, and most nations, just as in the terrorism realm, do not directly take credit for the attacks.

As the United States insurers adopt similar exclusions, it will be interesting to see what they do in terms of approving similar wording as LMA has issued.

OFAC Designations

The United States government has classified some state sponsored actors under the U.S. Department of the Treasury’s Office of Foreign Assets Control program.  In an October 2020 advisory,[24] OFAC advised in part (footnotes omitted):

OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. For example, starting in 2013, a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers, approximately half of which were in the United States. OFAC designated the developer of Cryptolocker, Evgeniy Mikhailovich Bogachev, in December 2016.

Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to target mostly U.S. government institutions and companies, including the City of Atlanta, the Colorado Department of Transportation, and a large healthcare company. In November 2018, OFAC designated two Iranians for providing material support to a malicious cyber activity and identified two digital currency addresses used to funnel SamSam ransomware proceeds.

In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea. OFAC designated the Lazarus Group and two sub-groups, Bluenoroff and Andariel, in September 2019.

Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft. In December 2019,OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware.[25]

While beneficial, except in one of the instances identified by OFAC, the bad actors were designated but not directly tied to a nation state.  As discussed, the challenge for all involved in this area with the new policy language will be to demonstrate that hackers are related to a sovereign nation state.

Whether a particular cyber-attack will be excluded under war exclusions will be fact dependent and will involve questions of who determines that a “war” has been declared or invoked.

Insurers will need to be able to convincingly link a cyber-attack to a particular nation state or state actor.  This task may require the insurer to have the cooperation of national governmental agencies that might have particular intelligence.  Cyber-attacks, as noted, often are carefully masked so that attribution in any particular instance might be difficult, at best. 

Conclusion

The most recent action by Lloyd’s will have significant impact on the cyber insurance market in the United States, with many US cyber insurers likely to follow suit.  Insureds with cyber policies containing such exclusions may find that they are fighting for coverage and attempting to distinguish the type of action involved when they are the victims of cyber attacks. The battle over whether an attack is the work of a state actor will intensify.

References

[1] “NAIC Cyberinsurance Market 2020,” available at https://content.naic.org/sites/default/files/cmte-c-report-cybersecurity-insurance-market-211020.pdf

[2] Lloyd’s of London is a brokers market consisting of more than 350 brokers,  more than 4,000 coverholder locations, and more than 250 service companies.  https://www.Lloyd’s.com/about-Lloyd’s/our-market/Lloyd’s-market.

[3] Lloyd’s Market Bulletin Ref: Y5381, available at https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf.

[4] See https://www.orangecoast.com/article/how-comedian-jon-lovitz-got-early-inspiration-in-orange-county/.

[5] file:///C:/Users/cotter/Downloads/LMA5564-WarCyberWarandCyberOperationExclusionNo1.pdf.

[6] https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor.

[7] Id.

[8] Riley de León, CNBC, “50% of U.S. tech execs say state-sponsored cyber warfare their biggest threat: CNBC survey,” December 17, 2020, available at https://www.cnbc.com/2020/12/17/50percent-of-tech-execs-say-cyber-warfare-biggest-threat-cnbc-survey.html.

[9] Jude Karabus, “Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay,” The Register, 6 September 2022, available at https://www.theregister.com/2022/09/06/lloyds_cyber_insurance_policy/.

[10] Lloyd’s Market Bulletin Ref: Y5258, available at https://assets.lloyds.com/assets/y5258-providing-clarity-for-lloyd-s-customers-on-coverage-for-cyber-exposures/1/Y5258%20-%20Providing%20clarity%20for%20Lloyd%E2%80%99s%20customers%20on%20coverage%20for%20cyber%20exposures.pdf.

[11] Id.

[12] Think of a trade association in the United States, such as the American Association of Managing General Agents.  The Lloyd’s Market Association consists of “49 Lloyd's managing agencies, who write approximately £36 billion of premium per annum, and all Lloyd's members agents, are members of the LMA.” 

[13] See Lloyd's Market Association Bulletin, LMA21-042-PD, 25 November 2021, available at https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx.

[14] Id.

[15] See LMA 5564, available at file:///C:/Users/cotter/Downloads/LMA5564-WarCyberWarandCyberOperationExclusionNo1.pdf.

[16] Merck and International Indemnity v ACE et al., Sup. Court of New Jersey, Law Division, Union County, Docket No.: UNN-L-2682-18, available at https://www.bloomberglaw.com/public/desktop/document/MerckCoIncvsAceAmericanInsuranCeDocketNoL00268218NJSuperCtLawDivA?1642788257.

[17] Id.

[18] Id.

[19] Id.

[20] Queens Ins. Co. v. Globe & Rutgers Fire Ins. Co., 282 F. 976 (2nd Cir. 1922).

[21] Jude Karabus, “Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay,” The Register, 6 September 2022, available at https://www.theregister.com/2022/09/06/lloyds_cyber_insurance_policy/.

[22] Lloyd’s Market Bulletin Ref: Y5381, available at https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf.

[23] Id.

[24] Department of the Treasury, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” October 1, 2020, available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.

[25] Id.