On January 18, 2023, Lloyd’s published updated Cyber War & Cyber Operation Clauses for standalone cyber insurance policies. Twelve days later, it published revised versions to address “language consistency changes/minor corrections.” As part of its efforts to properly manage evolving cyber-risks, Lloyd’s originally drafted four model clauses which provided options for the level of coverage for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state.
Impetus for Original Cyber War & Cyber Operation Clauses
Lloyd’s determined that cyber-risks involving state actors have unique features that deserve consideration. When writing cyber risks, Lloyd’s believed that underwriters should take into account the possibility of state-backed attacks that may occur outside of a physical war. The potential damage and spread of such attacks create a systemic risk for insurers.
To ensure that its syndicates are appropriately managing their exposures to liabilities arising from war and state-back cyberattacks, Lloyd’s implemented a requirement that all standalone cyber insurance policies include a suitable clause excluding liability for losses arising from any state-backed cyberattack. This clause must be in addition to any war exclusion clause. At a minimum, Lloyd’s requires the state-backed cyberattack exclusion to:
- Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
- Exclude (subject to 3) losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state;
- Be clear as to whether coverage excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack;
- Set out a robust basis by which the parties agree on how any state backed cyber-attack will be attributed to one or more states; and
- Ensure all key terms are clearly defined.
While Lloyd’s managing agents, brokers and other market participants are free to amend the model clauses, Lloyd’s made it clear that all four model clauses satisfy these requirements. Any material changes to the model clauses by a managing agent or broker could result in a finding of non-compliance with Lloyd’s requirements.
These requirements are to take effect on March 31, 2023, at the inception or renewal of each policy.
Reasons for Updated Clauses
The published updated clauses replace the original suite of cyber war clauses [LMA5564 through LMA5567]. The four updated have both an “A” version and a “B” version. The “A” versions meet the requirements outlined in Market Bulletin Y5381 in relation to standalone cyber insurance policies.
The sole difference between the “A” and “B” versions is that the “B” version does not include an agreement on how a cyber operation will be attributed to a state. Per Market Bulletin Y5381, attribution is to be dealt with in the exclusion clause itself. Lloyd’s has confirmed that clauses which do not reference attribution will be considered so long as there is a mechanism to deal with resolving attribution questions in the policy or a “robust reason” is provided for why it is not required. For those Lloyd’s managing agents, brokers and other market participants who choose to use any of the “B” versions, they will need to demonstrate to Lloyd’s that a mechanism for addressing attribution has been agreed upon by the insureds.
In the drafting of these updated clauses, the use of the term “sovereign state” and its operations in these exclusions was a subject of discussion. For example, both versions of the updated clauses do not exclude losses arising from a cyber operation by a state that causes major detrimental impact to another part of the same state, unless those cyber operations occur as part of an armed conflict (or the immediate preparation for armed conflict). Where there is potential disputes over sovereignty, Lloyd’s encourages underwriters to consider whether additional clarity is required.
As noted above, on January 30, 2023, Lloyd’s published new versions of the updated clauses, which implement minor corrections and consistent language usage. Click here for the most recent version of Lloyd’s Cyber War & Cyber Operation Clauses for standalone cyber insurance policies: LMA5564A, LMA5564B, LMA5565A, LMA5565B, LMA5566A, LMA5566B, LMA5567A, and LMA5567B.
In summary, Lloyd’s recently published updated Cyber War & Cyber Operation Clauses for standalone cyber insurance policies. These clauses provide options for Lloyd’s syndicates in terms of coverage for cyber operations that have a major detrimental impact on a state and are aimed at managing evolving cyber-risks. The updated clauses take effect on March 31, 2023 and require all standalone cyber insurance policies to include a suitable clause excluding liability for losses arising from any state-backed cyberattack.