Lloyds of London has announced that from 2023 all of its insurer groups will have to exclude “catastrophic” state backed attacks from their cyber insurance policies. Lloyds is an insurance marketplace where over 70 syndicates of underwriters operate to provide insurance for businesses and individuals.
In the market bulletin put out by Lloyds they note that Lloyds remains “strongly supportive of writing cyber-attack cover” but goes on to express concern over the difficulty of managing exposure to such risks. In particular they note “the ability of hostile actors to easily disseminate an attack, the ability of the harmful code to spread” along with the critical dependency society has on IT.
So what does this mean?
Well on the positive side there is some clarity on what will and won’t be covered (in theory at least). This move is understandable from an insurer’s perspective. In many ways if we did see a large, aggressive state backed attack on the UK or USA, insurers would be on the hook for almost an unlimited amount of money.
The move will apply to nation states but also to any services that are essential for that state to function such as financial services, health care, utilities and critical national infrastructure organisations.
Concerns and issues
I have read the bulletin and the associated analysis and from a purely cyber resilience and preparedness perspective I have the following concerns and questions.
1. The “A” word
That’s right. Attribution.
So the “test” laid out by Lloyds is that the damage being claimed for has resulted from a
1) nation state backed cyber attack and
2) is catastrophic. The latter may be slightly easier to ascertain but the former is troublesome.
Let’s break down the issue.
Firstly, you have the overall problem with attribution. In its simplest form how do you know who attacked you? This, as we all know is difficult to ascertain with any reasonable degree of certainty. This is in part why we have such heated debates on the “hack back” idea. The famous quote, I forget who to attribute it to, described the hack back as “wondering around in a pitch-black room randomly throwing punches and hoping one hits the right person”. That was one of the best explanations of the problems with attribution that I have ever read! It’s one thing to say “I think it was X” it suddenly feels very different when action then will follow. You feel that requires a higher degree of certainty.
Secondly, even if you identify the group behind the attack, even if you locate them in a country (let’s say Russia) even if you can show that the Russian Government knew about the group that attacked you and took no action against them that’s not sufficient under International Law to prove that that group’s actions are affiliated with the state. In fact, even if you had solid proof that the Russian Government had paid the group that attacked you that still would not be sufficient to meet this high bar. We had this very issue with terrorism many years ago when I was doing a Masters in International law and Maritime law. The state has to exert a level of operational and managerial control over the group to pass this high bar of a test. This issue alone could fill multiple books so I will leave it there.
So, even if we can do attribution accurately, and this is in no way a priority for most in the heat of an incident, then how do we really show they are state backed? If we can’t show this accurately this places us in a slightly precarious position insurance wise.
In the US the burden would fall on the insurers to prove the exception applies but that’s not the case in every country. So, it could fall on the victim to show the reverse.
It has been claimed in the sea of analysis on this decision that the attack won’t necessarily need official attribution to be excluded from the policy coverage. The insurer can decide, according to Threat Post, if it is “objectively reasonable to attribute cyber-attacks to state activities”. So the insurer could claim that the attack is excluded because it is “reasonable” to attribute it to a nation state. Not the clarity we perhaps wanted!
2. Lack of standardisation in the market
The cyber insurance market is in its toddler stage of development. It has come on a long way in the last few years but there is still a shocking lack of standardisation in cyber policies. Every client I run crisis simulations for has a differently worded policy with different exceptions and definitions. So we aren’t at a stage yet where there is a lot of clarity and consistency in policies. From that perspective alone this may be a positive move towards more standardisation.
This could prove interesting. There has been a balancing act on the part of insurers to weigh up the cost of putting things right Vs the risk of paying a ransom. Often, over the last few years, we have seen that balance tilting firmly towards the payment side. In fact, the paying of ransoms has become somewhat of an industry in itself with ransomware negotiators, lawyers doing due diligence of the groups and insurers advocating payment in some instances. On paper you can see how it could be cheaper for an insurer to pay a ransom that’s been negotiated down and hope that puts “everything right” than it would be to take the hit of the total cost.
Now, if insurers could claim they don’t have to pay because the catastrophic damage caused by the ransomware attack was because of a state backed actor what would be the position? Would this cause a cooling in desire to pay ransoms? Or maybe it will drive it further underground?
4. “It was Russia”
The comms statement we love to hate. The cyber community have often commented on the tendency of organisations (public or private) to claim that it was a “nation state that got me” perhaps as a means of trying to remove some of the responsibility from themselves. Perhaps now this may do a total 180 flip in fear that the insurer will use this to exclude liability?
The reality is that this is probably a reaction to the increase in demand and risks from the evolving threats. Cyber is unique in that way. The threat can evolve rapidly as can your exposure to it. The Russian invasion of Ukraine and the constantly fluctuating fear of the so called “cyber war” likely has insurers worried. Maybe rightfully so. It raises some interesting questions for the future though and as always leaves us with more questions than answers.