Lloyd’s Bulletin Y5381 Has The Market In A Tizzy

Issued on August 16, with the title “State backed cyber-attack exclusions,” Lloyd’s Market Bulletin Ref: Y5381 says in part that all cyber-attack policies falling within designated risk codes “must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack …”

Such “robust wordings,” the author explains, “provide the parties with clarity of cover, means that risks can be properly priced and reduces the risk of disputes.”

However, with regard to disputes, some observers believe the directive could have the opposite effect, given the difficulty of determining whether a cyber attack was state backed. There could be, says one law firm partner quoted in Financial Times, “significant litigation over these exclusions.” The net effect is a market “in turmoil,” says an article in Cybersecurity Dive, which says the Lloyd’s guidance comes at a time when the cyber insurance market is under extreme pressure from a rash of ransomware attacks and a fear of other types of attacks as possible fallout from the Russia-Ukraine war. Citing data from S&P Global, the post says there was a 232 percent increase in ransomware claims from 2019 to 2021, and that cyber insurance premiums are expected to rise 25 percent per year, to reach $22.5 billion in 2025.

An article in Security Boulevard details some of the problems involved in ascertaining whether an attack is state backed, noting the grey area between government actors, criminal groups, and private parties acting out of perceived national interest.