The Lloyd’s Market Association (the “LMA”) recently released four model clauses to exclude coverage for “war” from cyber insurance policies. The exclusions align with the requirement that all insurance policies written at Lloyd’s must exclude losses caused by war. Given the insurance industry’s weakening appetite for cyber risks, the issue for insureds is the extent to which the broad definition of “war” in these exclusions could give insurers wide latitude for denial of coverage beyond the traditional concept of “war” between sovereign states.
Standardizing definitions: war
The four exclusions together create four levels of coverage based on a consistent set of definitions for key terms. All four exclude cyber losses caused by “war,” defined broadly to mean:
the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or
military or usurped power or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority.
The definition emphasizes action directed by a “[sovereign] state [or] any government or public or local authority.” The full scope of “local authority” is unclear but is potentially far-reaching. For example, the Ninth Circuit once held that a war exclusion had not been triggered by actions of Hamas, because the “foreign terrorist organization” was not a sovereign state. But Hamas could well have been considered a “local authority [with] military or usurped power” — and losses due to actions of Hamas might therefore be excluded from coverage under the new LMA exclusions. Similarly, inclusion of terms such as “revolution” and “insurrection” have the potential to extend the scope of this exclusion bar beyond the traditional understanding of what constitutes “war.”
Standardizing definitions: cyber operations (and attribution)
Further, the exclusions each exclude losses caused by (some) “cyber operations,” the definition of which also focuses on state-to-state activity:
Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
Attribution of a cyber operation as being “by or on behalf of a state” is tricky. The Office of the Director of National Intelligence explained in a 2018 document that attribution is “painstaking” and “difficult” and that there is “[n]o simple technical process or automated solution.”
The exclusions prescribe that attribution be determined first by “the government of the state in which the computer system affected … is physically located.” Among other problems with this procedure is that such a state could itself be the perpetrator of the cyber operation. In the absence of the state’s attribution, “it shall be for the insurer to prove attribution.”
Four degrees of exclusion of cyber operations
The four clauses each use the same definitions, exclude war losses, and prescribe the same criteria for attribution of cyber operations. But the clauses differ in the degree to which each excludes losses from cyber operations.
- Exclusion No. 1 (LMA5564) is the strictest. It excludes losses from all cyber operations.
- Exclusion No. 2 (LMA5565) does cover — with specified coverage limits — losses that are not due to cyber operations that either: (1) are retaliatory between China, France, Germany, Japan, Russia, UK, or USA; or (2) have a “major detrimental impact” on a state’s security, defense, or “essential services.” The exclusion does not define either “retaliatory” or “major detrimental impact.”
- Exclusion No. 3 (LMA5566) provides for the same losses as does Exclusion No. 2, but without specifying coverage limits.
- Exclusion No. 4 (LMA5567) is the most generous (but is still restrictive). In addition to the coverage of Exclusion No. 3, it also covers effects on “bystanding cyber assets,” defined as:
a computer system used by the insured or its third-party service providers that is not physically located in an impacted state but is affected by a cyber operation.
These four levels would give insurers some flexibility to customize policies for customers. Still, none is very friendly to insureds, except through the background principle that an exclusion’s applicability must be proved by the insurer. We have presented before about the impacts of war exclusions (particularly on defense contractors). Such exclusions impact all insureds when cyber threats respect no borders.
We have written before about the insurance industry facing silent and systemic cyber risks. As insurers better map the risk landscape, we expect to see more variety and maturity in such exclusions. But the LMA war exclusion clauses suggest that insurers are — for now — taking a very cautious approach. Consequently — and as premiums for cyber insurance continue to rise — insureds should carefully determine whether their operations are sufficiently insured from foreseeable risks.
Contact Heather Wright or Andrew Tuggle with any questions or to discuss the new provisions’ potential impact on your business today. For updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.