Cyber Insurance & Vague Exclusion Carve Outs

Recently Lloyd's the insurer adjusted their policies to exclude actions that could be considered cyber warfare, or associated with a sovereign state entity.

Which sounds abstract, but the reality is even more complicated.  The way Lloyd's can exclude a cyber event from a policy is through "inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf".

What does this mean?

Well in plain English - if a cyber attack originates from several countries that are known state actors of cybercrime, it may be excluded simply because it is a form of cyber warfare.

This is likely because of a huge increase in claims over the past several years, and Insurers looking at various ways to keep costs down and coverage specific.  What is so incredible about this change is that it doesn't even require attribution from government agencies such as the FBI, it simply requires "inference".

So... all of those shiny insurance policies that might normally cover a cyberattack are suddenly devalued when the attacker is from China, Russia, or North Korea - of if they route themselves through those countries - a very common practice.

It stands to reason that news such as this should concern many businesses that are preparing for a huge increase of cybercrime in 2022 as 2021 has had easily the most cybercrime on record, exceeding 2020 by the first quarter of 2021 alone.

Hopefully we will see companies look to increase their security coverage, and create security practices that will prevent threats before they spread and cause a full outage - especially now that the insurer might not even cover it, maybe even management will be willing to up the security spend.