The insurance industry is attempting to modernize war exclusions to address the 21st century risk of state-sponsored cyber operations. It has proven to be a challenging project.
Many current war exclusions date back to the 1930s. They arise from the intense bombings of cities in Ethiopia during the second Italo-Ethiopian War, and in Spain during the Spanish Civil War. Those bombings made it clear that property insurers were exposed to massive aggregation in conflicts that were not declared wars. In response, Lloyd’s and the London Market introduced the first modern so-called War Exclusion, NMA 464, 1/1/38.
That exclusion provides, in essence, that “this Policy does not cover Loss or Damage directly or indirectly, [from] war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power [ . . . and similar acts].
A common variation excludes “Loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power . . . or by an agent of such government . . ..”
These exclusions were widely adopted, and not much happened for 75 years. But then, many insurers, especially cyber insurers, became concerned about the deficiencies in these war exclusions. They recognized the need to modernize them. Again, the overriding concern was massive correlated aggregation. More than any other type of insurance, cyber insurance is exposed to correlated widespread aggregation. In addition, there were other gaps and uncertainties in the construction of war exclusions as applied to state-sponsored cyber operations, and there is a pressing need to provide more clarity for everyone – insureds, brokers, insurers, reinsurers, and others who might assume cyber risks.
The London Market Associations Exclusions
To address these issues, in November 2021, the Lloyd’s Market Association (“LMA”) released four War, Cyber War and Cyber Operation Exclusions. It spent well over two years drafting the Exclusions, which were supposed to be models for standalone cyber policies. The clauses ranged from a blanket exclusion, to gradations of exclusions and exceptions for various losses. In a companion Market Bulletin, Lloyd’s required that all standalone cyber policies were required to have Exclusions addressing these issues, with the requirement taking effect March 31, 2023. It said that although the LMA exclusions themselves were not mandatory, they would meet all requirements. Insurers were free to use different language, if vetted by counsel and approved by Lloyd’s.
The LMA’s principal innovations were to define “cyber operations” as the use of a computer system by, or on behalf of, a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state. The trigger was an attack that had a major detrimental impact on a state’s delivery of essential services, or its security or defense. Such states were defined as “impacted states”. The Exclusions clarified that “essential services” included (among other things) financial institutions and associated financial market infrastructure. One of the Exclusions provided an exception for a “bystanding cyber asset”, which is “a computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.” Some of the clauses excluded loss or damage from retaliatory operations between identified “Specified States,” identified as China, France, Germany, Japan, Russia, the UK or the US. Those Exclusions operated when two or more of the Specified States became impacted states. All four Exclusions had an identical provision on Attribution, setting forth factors and standards for evidence, and addressing payment obligations pending attribution.
The Revised LMA Exclusions
This was a serious effort to clarify the position, for the benefit of all parties. But it went too far, too fast. There was enormous blowback, from brokers and insurers, and the original clauses were withdrawn and replaced in January 2023.
There are now eight clauses, consisting of two sets of four. The first set, the “A” set, retains many features from the original LMA Exclusions. The changes vary from the originals for each Exclusion, but here are some of the main ones. The term bystander cyber asset was removed, but the concept was retained, and actually expanded, in that the exception appears in more of the Exclusions than before. The concept of Specified States is gone, so there is no exclusion for losses from a cyber clash of great powers. And one of the clauses seems to implicitly except so-called “patriotic citizen hacking groups,” because it provides that the cyber operation must be at the direction of, or under the control of, a state.
The most significant changes are in the attribution provisions, which were the most controversial provisions of the originals. All of the originals expressly provided that no loss would be paid pending a determination of attribution. But all four new “A” clauses take that out. The originals gave primacy (but not exclusivity) to an attribution made by the state in which the affected computer system is physically located. While that can still be considered, the status of “primacy” is gone. In the originals, absent a state-made attribution, the ultimate test was for the insurer to prove attribution by reference to “such other evidence as is available”. Under the new clauses, the insured and insurer will consider such “objectively reasonable evidence that is available to them.” The new clauses explicitly state that the insurer bears the burden of proof (which it did anyway).
The radical changes are in the “B” clauses. They are the same as the “A” clauses, except they do not address attribution at all. They are therefore not compliant with Lloyd’s requirements, unless there is prior agreement from Lloyd’s. However, Lloyd’s has confirmed that clauses that do not address attribution will be considered, “so long as there is a mechanism for dealing with resolving questions of attribution in the policy, or a robust reason can be given for why it is not required.”
Notwithstanding the newly-released Exclusions, the March 31 deadline for compliance remained in effect. London agencies and their solicitors have been actively engaging with Lloyd’s on what those “mechanisms” and “robust reasons” could consist of.
Why US Insurers Care
US insurers care about these developments if they want to be able to participate in towers with London insurers, or issue the primary insurance under those towers, without non-concurrencies.
They also care because the issues are vitally important, for all the core reasons of aggregation and clarity.
The Response of US Insurers
The response of US insurers has been mixed. Some leading insurers have developed or are developing their own new exclusions for standalone cyber and other cyber coverages, using some elements of LMA clauses, and adding others of their own. Some of these have been released, others released and withdrawn, and others are being held in abeyance.
But many US insurers are doing nothing. Their plan is to wait to see how events unfold.
On one level, for the moment, this is arguably a reasonable position. There have been disruptive market responses in London. Lloyd’s has indeed put itself at a temporary competitive disadvantage. Sources in London with a broad picture of the market report that the domestic US market is beginning to repatriate business at a faster rate than expected. The London insurance press has reported that Lloyd’s could lose over 200 million dollars cyber business as a release of the new exclusions. One market leader admits to a “temporary dampening” of business. Although others, including the leadership at Lloyd’s, assert that the tighter exclusions are needed to keep the market sustainable, and that ultimately the stakes are too high not to act.
For the moment, the core of the older NMA 464-based exclusions seem to be faring well. This is a problem. The old versions are still full of ambiguities, so no one knows what they are really insuring. This has the effect of stifling market growth, by limiting reinsurance capacity, and slowing the development of a mature Insurance-Linked Securities market – because the financial markets cannot get any better sense of the exposure than insurers or reinsurers can.
In an attempt to address these concerns, several leading insurers have developed alternative provisions, outside of the War Exclusions. Some market leaders have developed extensions or endorsements providing specific treatment for events, described with terms suh as Widespread Events, Systemic Cyber Events, or similar terms. It remains to be seen whether insureds and brokers market will embrace these developments.
All Insurers Still Need Updated Clauses
Eventually, US insurers cannot escape modernizing their war exclusions. At a minimum, insurers need to address state-sponsored cyberattacks. What are they, and how are they treated? Next, they need address how the exclusions are triggered. They also need to address a cyberattack that causes non-physical, economic loss only.
Insurers also need to refine the concept cyberattacks that impair a government’s ability to provide essential services. What are essential services? In addition to the usual categories, what about disruptions to telecommunications, emergency services, transportation systems, or the food chain?
Finally, Insurers need to address the key question of collateral damage. What happens when an exploit goes into the wild, intentionally or inadvertently? What losses fall into the War Exclusion? This again returns to the core concern of correlated widespread aggregation.
Even if there is a well-drafted, modern clause, there are going to be areas of potential dispute. Once again, there is the question of Attribution – who launched the attack, and how is that proved? A fertile ground for dispute will be proving the relationship between the actor and a nation-state. Does the clause say the attack must be initiated by “a state, or those acting on its behalf”, or does it say “a state, or those acting at its direction or under its control“. The courts may find a difference. In the Russian-Ukraine conflict, there are many groups clearly acting on behalf of each side, as that term is commonly understood. Yet some of them expressly deny they are under Russia’s direction or control, claiming they are merely Patriotic Citizens.
Finally, questions may arise on the Degree of Causation. Some clauses exclude loss “directly or indirectly occasioned by, happening through, or in consequence of any war or cyber operation.” Others only exclude loss “resulting directly or indirectly from war”, but as to cyber operations, only exclude loss “resulting from” the operation. These variations implicate questions of “proximate cause,” which are often contentious.
No Conclusion Yet
This story is not yet over. The key concerns remain unaddressed in many policies. Future developments should be expected.
Topics
Cyber