General Insurance Article - Lloyds cyber war exclusion clauses stops future claim wins

Merck & Co. has successfully won a legal dispute over a pay-out refusal, the insurance industry has already put in place "cyber war exclusion" policies that will see future legal disputes ruled in their favour.

 Peter Groucutt, Co-Founder at Databarracks on the challenge of cyber attack attribution and the continuously narrowing parameters for a cyber insurance pay-out. 

 Merck & Co. has won its legal dispute with its insurer over a refusal to pay out on a claim for losses due to the NotPetya ransomware.

 The NotPetya attack was attributed to Russia. It was aimed at Ukraine, but it had a massive impact on companies around the world.

 Insurers have refused to pay out on the basis of the “war exclusion” clause in its policies. That resulted in companies suing their insurers for refusing to pay out. In addition to Merck, Mondelez has also taken action against its insurer.

 The court in New Jersey ruled that the war exclusion clause did not apply because it applied to armed conflict rather than cyber warfare.

 Lloyd’s cyber exclusion clauses
 The timing of this ruling is particularly interesting because it comes just after Lloyd’s issued its new cyber war and cyber operation clauses.

 The new clauses from Lloyd’s favour the insurers with broader definitions of cyber activities that can be excluded from coverage.

 Traditional war exclusion clauses don’t address some of the particular challenges raised by cyber warfare.

 Extending the reach to include “cyber operations” covers more activities. There is a lot going on between nation states that doesn’t qualify as “war”. Occasionally that spills over and affects organisations who might want to claim on their cyber insurance (as with NotPetya).

 Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or “takes an unreasonable length of time to”. That seems to be a dangerous case of checking one’s own homework.

 There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with “those acting on its behalf” working as a catch-all for these kinds of relationships.

 Ultimately, in future businesses will find that the parameters for a payout are narrowing, shifting the emphasis for protecting data and operations onto the victims.

Back to Index

Similar News to this Story

FCAs new powers removes firms without regulatory permission
Businesses required to prove they are carrying out the regulated activities they are permitted to or face losing this permission. Failure to take acti
ABI comment on IFRS 17
The UK Endorsement Board (UKEB) has announced that it has approved the adoption of the International Accounting Standards Board’s (IASB) IFRS 17 Insur
Net Zero may double the size of the London insurance market
MPs heard last week that the value of the opportunity provided by the global transition to Net Zero was potentially large enough to double the size of

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS


Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.