Managing agents must show that exclusion clauses have been legally reviewed 

Lloyd’s of London will require its underwriters to include exclusion clauses for state-backed cyber attacks within standalone cyber policies from 31 March 2023, at the inception or renewal of each policy, according to its latest market bulletin, published on 16 August 2022.

The bulletin explained that recent losses arising from sovereign state cyber attacks, such as incidents that have occurred during the Russia-Ukraine conflict, has led to these types of exposures becoming a “market focus”. It explained that “the damage these attacks can cause and their ability to spread creates a systemic risk to insurers”.

Therefore, the marketplace is ”requiring that all standalone cyber attack policies falling within risk codes CY and CZ must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state-backed cyber attack”.

These clauses ”must be in addition to any war exclusion”, it added.

Lloyd’s has confirmed that, at a minimum, the state-backed cyber attack exclusion clause in standalone cyber insurance policies must:

1. Exclude losses arising from a war, declared or not, where the policy does not have a separate war exclusion.

2. Exclude losses arising from state-backed cyber attacks that either significantly impair the ability of a state to function or that significantly impair the security capabilities of a state.

3. Be clear whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in point 2. above by the state-backed cyber attack.

4. Set out a robust basis by which the parties agree on how any state-backed cyber attack will be attributed to one or more states.

5. Ensure all key terms are clearly defined.

A spokesperson for Lloyd’s told Insurance Times: “Cyber remains a priority area for Lloyd’s.

”The advisory guidance provided [last week], following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires.

“We will continue to take a pragmatic and innovative approach to supporting the growth of cyber at Lloyd’s.”

Clarity of cover

The bulletin stated: ”We recognise that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber attack exposure arising both from war and non-war, state-backed cyber attacks.

”We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings.

”We consider the complexities that can arise from cyber attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.

”It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state-backed cyber attacks.

”Robust wordings also provide parties with clarity of cover - [this] means that risks can be properly priced and reduces the risk of disputes.”