It has been reported that Lloyd’s of London has instructed its members to exclude nation state cyber attacks from insurance policies beginning in 2023, saying they pose unacceptable levels of risk. Insurance market Lloyd’s of London has indicated that it will move to require its insurance groups to exclude “catastrophic” nation state cyber attacks from cyber insurance policies from 31 March 2023. The change will supposedly ensure that the scope of cyber insurance policies is made clear to buyers, and is being made because Lloyd’s believes the impact of state-backed attacks is a “systemic risk”.
Full story here: https://www.wsj.com/articles/lloyds-to-exclude-catastrophic-nation-backed-cyberattacks-from-insurance-coverage-11660861586
My best guess is that Lloyds doesn’t want to be held accountable for very large ransomware/wiperware/malware attacks like NotPetya, which targeted Ukraine in 2017. It causes hundreds of millions to billions of dollars in damages. Just one of these events can bankrupt even the largest of insurance companies if they get caught with too much risk. NotPetya threatened the entire of system of insurance and reinsurance, so I understand the concern and wanting to limit risk. Still, it’s tough to prove what is and isn’t “nation-state” in the cybersecurity world. We do have a fairly good understanding of various nation-state groups in the loose sense that we are fairly confident that it is either nation-state led or intentionally tolerated, or even encouraged. But proving that in a court of law is going to be far more difficult. Unless you can directly trace something, using solid forensic evidence that ties an attack to a known IP address tied to a confirmed nation-state program, I’m not sure how you prove or disprove in a court of law. I don’t think it’s enough to say that we “think” or are pretty sure it’s a nation-state led attack. I can just see attorneys salivating to start arguing one way or another about this point.
The cyber insurance market is still in the early stages and there will likely continue to be many changes in how cyber insurance is offered. The biggest challenge with the latest guidance by Lloyds is one of attribution. It is almost impossible to attribute attacks with certainty to a nation state. There may be indicators to point to a certain nation state group but proving the fact will be tricky without extensive investigations. Last week, a Minnesota computer store was unable to get cyber insurance paid out for losses it suffered as a result of a social engineering attack. https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/
With these and other factors that come into play, it won’t be long before one has to ask the question, what exactly <is> covered by cyber insurance and whether it is worth the cost.