On 16 August 2022, Lloyd’s of London, the world’s leading insurance market, issued a Market Bulletin on cyber insurance. The Market Bulletin sets out new requirements for Lloyd’s cyber insurance policies from 31 March 2023 to make it clearer that cyber insurance policies issued by Lloyd’s will not include cover for state-sponsored cyber-attacks.
What does this mean?
It has long been the case that foreign governments have used cyber-attacks to make money or to disrupt organisations in other countries. The BBC’s Lazarus Heist podcasts for example have looked at the role of North Korea in cyber-attacks. In March President Biden spoke of Russia’s role in cyber-attacks. The UK’s NCSC has also spoken of threats from China. We have seen allegations that nation states do use cyberwarfare (including ransomware) to raise money for missile programs and conventional warfare but also to spread panic and despair in the same way acts of terror have been used in the offline world for hundreds of years.
In many respects the Lloyd’s announcement is not a surprise. Acts of war have been excluded from conventional insurance coverage for years too. There’s been litigation over clauses like this since at least the 1920s and in our alert on the Ukraine war in March we highlighted this as an area of contention https://www.corderycompliance.com/war-effects-on-cybersecurity/. In that alert we talked about the litigation involving Merck & Co. over cyber-attacks with a Russian connection and we talked about the insurance industry tightening up policy wording as a result. The recent Lloyd’s announcement is in many respects a continuation of that trend.
We know that it’s tricky for some organisations to get any cyber coverage at the moment, and we also know that premiums have been on the rise. For organisations, it’s a reminder than insurance isn’t the fix to everything. It also reinforces the need for organisations to shore up their own defences – just as car insurance is often dependent on a car alarm being fitted; sometimes a tracker and you locking the doors, then cyber policies are the same. You will have to take reasonable precautions to get cover and even then your insurer won’t pick up the tab for everything.
The real issue with all of this however will be attribution – how can anyone be certain that an attack is state-sponsored? Whilst with specialist help you can often say that there are indicators of nation state involvement, from some of the cases we have been involved with we know it’s hard to be certain. With North Korea for example it has been reported that North Korean IP addresses are not always used. In many cases attackers will take over someone else’s systems to launch an attack and hide their tracks.
It’s these difficulties with proof of who is behind the attack which are likely to lead to litigation. Once again putting proper procedures in place will be key. To have a chance of getting attribution right an organisation will need proper and effective monitoring on its systems to assist in an investigation. It is also likely to need specialist help in analysing that evidence. As ever the time to prepare for an attack is before it happens and some organisations will want to re-test their readiness plans in light of the need to gather this evidence to satisfy their insurers that a claim is in scope.
What about sanctions?
We have talked before about the role of sanctions in ransomware for example in our alert looking at the dangers of ransomware payments here https://www.corderycompliance.com/ransomware-pay-or-not/. It could be that making a payment to a sanctioned individual or organisation will be seen as prima facie evidence of state-sponsored involvement depending on the nature and content of the sanctions announcement and the circumstances of the case. It is highly unlikely that any insurer will cover those payments. In all cases it will be wise to do a sanctions check before making any payment although as we have said attribution will remain a difficult area and finding out who a ransomware demand is from is not an exact science either.
Another important consideration given the changes will be the messaging that organisations use after a breach. Commonly an organisation’s PR or crisis management communications consultants will want to push the message that this was a “sophisticated nation-state 0-day attack” in the hope of garnering public sympathy to reduce the social media backlash. That line of messaging may well result in the organisation’s insurer declining coverage or at least delaying payment whilst investigations take place. Organisations would do well as a result to train their crisis management team on the appropriate response.
Cash flow implications
Another implication for the announcement could be the delay in claims being met. There have already been concerns of late payment after a cyberattack – for example in July 2022 shares in the law firm Ince dropped 50% partly on news that it had not received an insurance pay-out after a cyberattack on its systems led to £4.9m of damage. Whilst their claim may have been on a business interruption policy rather than a dedicated cyber insurance policy Ince was forced to raise additional money on the stock market as it said “the company’s management estimate the claim could take up to 12 months to be processed and received.” We can expect some claims to take longer as insurers investigate whether the attack is covered by the policy.
When does the change come in?
Lloyd’s does not require existing policies to change unless the expiry date is more than 12 months from 31 March 2023. With the way in which the market is tightening up however, it is likely that anybody seeking to renew their policy from now on will see new terms being proposed. It will be important to look through the proposed terms and consider your risk and the steps you can take to reduce it.
What can we do?
As ever the best strategy is to try and prevent attacks happening rather than relying on insurance to cover you when they do. There are some simple steps you can take to try and reduce the risk:
- Training and awareness is key. As we have said before, make sure that you are raising awareness of the current heightened risk with your employees and sub-contractors.
- Make sure that your cybersecurity stance recognises the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done. Despite some current attacks bypassing MFA, MFA remains important too especially since many insurers won’t cover you unless you have good MFA systems in place.
- Rehearse – breaches are inevitable so preparation is a wise investment. This might include having good lawyers on standby since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach for example with a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/). Make sure your communications team are included in this training.
- Looking in detail at contracts with vendors and other third parties. You will need to look carefully at emphasising your processors’ obligations to let you know immediately if they suspect a possible breach. In our view audit rights are also important – too often organisations are vague about cause and effect and it can take the exercise of audit rights to get proper information.
- You may also want to consider your position on ransomware payments and agree a strategy in advance. We have a more detailed note looking at the ‘To Pay or Not to Pay’ considerations for ransomware here https://bit.ly/ransompay.
You can read more on this in CSO including their interview with Jonathan here https://bit.ly/3T6ZCQ3
You can read the Lloyds statement here https://bit.ly/3CsICh7
You can listen to the Lazarus Heist podcasts here https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads
You can read President Biden’s remarks here https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads
You can read the NCSC statement on China here https://www.ncsc.gov.uk/news/uk-condemns-chinese-cyber-attacks-against-businesses-governments
You can read more on the Ince announcement here https://www.lawgazette.co.uk/news/ince-halves-in-value-as-financial-difficulties-revealed/5113263.article
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|