Lloyd’s to Exclude Nation State Attacks from Cyber Insurance Coverage
Authored By Ezinne Egbo
Lloyd’s Cyber Insurance Policy Revision
Earlier this month, Lloyd’s of London announced in a market bulletin that they will cease their nation state attack insurance coverage beginning in April 2023. While there is a growing demand for cyber liability insurance as cyber-attacks grow in frequency, severity, and sophistication, Lloyd’s identifies cyber related insurance as an evolving risk for their business. The insurance marketplace will continue broadly covering cyber-attacks, but it recognizes, “If not managed properly [cyber insurance] has the potential to expose the market to systemic risks that syndicates could struggle to manage. In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.” This trend as identified by Lloyd’s, indicates that the increasing amount of cyber liability losses may be hindering insurers’ returns on policies, and thus, hardening the insurance market. To combat this, Lloyd’s plans to begin adding a clause to their cyber insurance policies after March 31, 2023 that explicitly excludes losses from any state backed cyber-attacks. This exclusion clause will be in tandem with a war exclusion clause, unless otherwise agreed by Lloyd’s.
The Increasing Threat of Nation-State Attacks
Cyber security research organizations have found that nation state attacks have become increasingly common. For example, Venafi recently surveyed over 1,100 security decision makers worldwide regarding nation state attacks – 64%, nearly two-thirds, of respondents believe their business has been targeted or impacted by a nation-state attack. The malicious actors behind these attacks typically will employ advanced persistent threat (APT) tactics that allow them to elude security through creating discreet “leave behinds” for exit and re-entry. This can make it difficult for organizations to detect or confirm an attack has occurred on their systems or network. Furthermore, Venafi found that many actors have begun successfully exploiting machine identities, such as digital certificates and keys, for these attacks. In such attacks, malicious actors obtain a legitimate device’s digital credentials to authenticate their illegitimate device, gain access, and maliciously infiltrate a network.
The Costs of Nation-State Attacks
According to cyber threat intelligence company Trellix, successful nation state attacks are expensive, resulting in more than $1 million in losses per incident. Nation state actors can utilize breached information from other nations to influence or coerce people, damage critical industries and infrastructure, and overall, advance their own nation’s political and economic interests. Organizations within sectors such as IT/computer services, financial institutions, manufacturing, and healthcare may be more at risk for nation state attacks due to the amount of customer and employee personally identifiable information (PII) they have. As Lloyd’s, a leader in insurance, moves to end coverage for nation state losses it is anticipated that other insurers will follow. Organizations in all sectors, but especially the aforementioned, will need to improve their own cyber defense strategies to protect against these increasing and costly attacks.
Javier is a principal within the Cybersecurity Services Group at CLA. Prior to joining CLA, Javier spent ten years supporting the Department of Defense as well as a financial services company in the fields of insider threat, incident response, analytics, and systems engineering.
Comments are closed.