Insights

A Cyber Continuum

This perspective was first published from Marsh.

This note is intended to offer analysis, insights, and ideas supporting a productive way forward for stakeholders regarding new cyber insurance policy exclusion language related to war, cyber war, cyber operations, and concerns pertaining to catastrophic risk.

The risks and consequences of what may constitute “cyber war” — alongside the parallel problem of cyber terrorism carried out by nation states, proxies, or others — presents a global challenge for law enforcement, governments, business leaders, and increasingly, the insurance market. These challenges are compounded by well-funded and organized activity of international hacking syndicates that operate in a profitable cybercrime ecosystem.

In the context of the insurance market, cyber risks present unique challenges and questions: What types and elements of this risk will remain insurable? How can uninsurable risks and/or impacts be identified and distinguished to provide necessary contract certainty? The answers will ultimately benefit both insurers and insureds, and are imperative to foster a high functioning marketplace.

Recently, the Lloyd’s Market Association (LMA) attempted to address some of these concerns on behalf of the Lloyd’s syndicates and market participants with a set of four new model war, cyber war, and cyber operations exclusions.

The development of this new language extended over more than two years. And yet these new exclusions may increase uncertainty regarding the scope and performance of policies that employ them, thus jeopardizing the assurance that clients may take from any coverage within their cyber insurance programs.

The challenges of the LMA war, cyber war, and cyber operations exclusions

The four new LMA exclusions — LMA 5564, 5565, 5566, and 5567 — use similar concepts and structures, ranging from the removal of coverage if due to war or nation-state activity to exceptions made for nation-state activity that falls below a certain threshold.

While these exclusions were expressly designed for standalone cyber policies, the LMA has yet to confirm whether they may be used on other policies issued at Lloyd’s. Fortunately, widespread deployment or adoption of the exclusions has not occurred to date as they were only finalized and released in December 2021.

Importantly, while there is a general requirement for all policies to exclude losses by war, except in limited circumstances, there is no mandate for Lloyd’s syndicates and market participants to use these new exclusions. Many are either considering further modification of the language or adopting a wait-and-see approach before taking further action. That said, the LMA has yet to confirm whether, over time, these exclusions may be used as unqualified model wordings for other lines of business policies issued at Lloyd’s.

Upon reviewing the new exclusionary clauses, we identified several areas of concern:

New terms + more words = new uncertainty

Collectively, the new exclusions introduce and rely on a number of ambiguous terms — such as “major detrimental impact” and “essential services” — that currently have either an ambiguous threshold, an unclear meaning, or no ordinary interpretation. It is also potentially problematic that the exclusions introduce the term “cyber war,” but do not define it.

Each of the exclusions depends on a new concept of a “cyber operation,” the definition of which is closely related to that contained within the Tallinn Manual,[1]a widely used tool for shaping policy and an influential source of information for legal advisors. It should be noted that the definition of cyber operation contained in the LMA exclusions omits the critical concept contained within the Tallinn Manual of a corresponding threshold as to when a malicious cyber operation qualifies as an act of cyber warfare in violation of international law — thus perpetuating the confusion as to which events can trigger the exclusion.

It is helpful to leverage existing reference works like the Tallinn Manual. However, the manual is not an agreed doctrine, there was no consensus as to what cyber operations outside of traditional warfare met the threshold for war, and there is currently a five-year project (commenced in 2021) to revise and update the manual to reflect the evolving nature of cyber statecraft.

Also, the new exclusions were published without accompanying guidance or illustrative explanation from the LMA. This leaves brokers and insureds uncertain as to when syndicates and other market participants may employ these wordings, or how they are expected to be interpreted.

Attribution remains ambiguous

One of the thorniest problems with cyberattacks is the heightened anonymity afforded to perpetrators that attack from a distance over the internet. It is often virtually impossible to be certain who originated an attack, or why they did so.

The new LMA clauses offer a novel series of potential ways for insurers to resolve the challenging issue of attributing a cyberattack to a sovereign state, and yet, several deficiencies remain.

First, attribution may be derived from any statements made by the government of the state in which the computer system affected by the cyber operation is physically located, regardless of their accuracy, significance, or political motivation.

Second, if an affected government does not affirmatively attribute the attack, the insurer may alternately rely on inferences made by any other party that are “objectively reasonable” — without qualifying the “objective party” or defining what constitutes objectively reasonable.

Third, as a last resort, the insurer can prove attribution via any other evidence that may be available, with no clear time constraints.

Collectively, the implied evidentiary burden of proving attribution is too low, too ambiguous, and too skewed in favor of insurers. Insurers may rely on statements that are political, rather than legal, and that come from sources within a government that may be uninformed. The concept of an objective party seems reasonable; however, there is no clarity as to whom may serve as the objective party, meaning any party might serve as such. At the same time, there is no requirement or method to resolve disagreements among multiple objective parties.

Further, because the methods of attribution in the exclusions need not be aligned overall and are not mutually exclusive, they may encourage a wide-ranging search for any casual or unofficial statement by a government official, reasonable inference, or evidence that might support a declination of coverage.

Issues pertaining to causation may also be amplified because the exclusions apply to any and all events “happening through” an attack. In other words, the risk of ambiguous attribution extends beyond the threat actor to encompass the entire sequence of events that precipitate a cyberattack, often called the “kill chain.” By using “happening through” rather than more common constructs like “for” or “arising out of,” the implied scope of the causal chain is unknowable and could lead to unreasonable and tortuous chains of “proximate cause” resulting in erroneous application of the exclusion.

State sponsored cybercrimes are not acts of war, or cyber war

Many currently insurable cyberattacks that could potentially be subject to the new exclusions would also ordinarily be subject to investigation by law enforcement. Such cyberattacks are increasingly the subject of criminal investigation and prosecution, and thus should not be considered or conflated with acts of war. Further, every act between nations does not necessarily rise to the level of a hostile or warlike action, or a cyber operation. Indeed, many ordinary actions between states — such as espionage — may be disruptive, but should not be excluded from coverage.

Additionally, some of the new exclusions define a set of “specified states” for which no coverage is afforded if there is a cyber operation between such states. However, the underlying rationale for the designation of certain states is unclear. Does the list reflect political rivals? Or those associated with state terrorism? Perhaps rogue states, where some believe they might violate international law but not cross any lines that would rise to war? Or does the list simply reflect territories that have little interest in cyber warfare, but nonetheless have significant cyber assets?

Too many choices means too much confusion

The LMA exclusions range from the absolute removal of coverage for loss if due to war or nation-state activity, to exceptions made for nation-state activity that fall below a certain threshold. Having four exclusions offers choice to market participants, but may also reflect a lack of insurer consensus.

Many insurance policies already contain exclusions for war, infrastructure, government actions, and natural perils, each with defined terms. It is unclear how the new exclusions will interact with existing ones, and/or with others being drafted by market participants.

Further, the adoption of a variety of conflicting and overlapping exclusions increases the potential for non-concurrency of coverage and inconsistency in the scope and application of these exclusions. This could result in confusion and a lack of contract certainty for buyers purchasing cyber insurance from multiple market participants.

How Marsh is supporting clients

Marsh’s Cyber Practice has for many years included a working group for emerging coverage issues such as cyber war and silent cyber. Early in the LMA process of re-examining these wordings in 2019, Marsh engaged with the relevant stakeholders to share our commentary and suggestions, including a number of the concerns expressed above. While the LMA considered our feedback, ultimately they developed and published the new exclusions without fully resolving our concerns pertaining to unintended consequences and the challenges that will likely follow.

With no current mandate from Lloyd’s for market participants to adopt the new LMA language, we anticipate insurers will take time to review and potentially modify these exclusionary clauses before adopting them. That said, we recommend that clients carefully review and consider these wordings, if presented, before accepting them into their contracts. Concurrently, we continue to advocate on behalf of insureds through discussion with the LMA and other market participants in an effort to reduce uncertainty and ambiguity, and maximize the value of the cyber product for our clients.

These are pressing, complex, and challenging issues. At Marsh, our mission is to protect and promote possibility — helping clients protect their cyber assets is a critical concern.

We hope that continued collaboration and dialogue between relevant and vested stakeholders leads to a productive path forward. Enabling clients to make informed decisions regarding the risk transfer of certain impacts emanating from a cyber event, irrespective of the threat actors involved, is critical for all stakeholders.

If you have questions about the LMA exclusions or any other cyber risk issues, please reach out to your Marsh representative.

[1] Specifically, the Tallinn Manual 2.0 on the International Law applicable to Cyber Operations (2ed.2017)