Lloyd’s of London, the world’s leading insurance market, says that cyber insurance policies it issues after March 31, 2023 will not cover most state-sponsored attacks. Cordery Compliance’s Jonathan Armstrong and Andre Bywater explore what this means for companies and how they should prepare.
It has long been the case that foreign governments have used cyber attacks to make money or to disrupt organizations in other countries. The BBC’s recent “Lazarus Heist” podcast series examined the role of North Korea in cyber attacks, while In March, President Joe Biden spoke of Russia’s role in attacks. And the UK’s NCSC has also spoken of threats from China.
We have seen allegations that nation-states do use cyberwarfare, including ransomware, to raise money for missile programs and conventional warfare but also to spread panic and despair in the same way acts of terror have been used in the offline world for hundreds of years.
In many respects, the announcement is not a surprise. Acts of war have been excluded from conventional insurance coverage for years, too. There’s been litigation over clauses like this since at least the 1920s, and in an alert on the Ukraine war in March, we highlighted this as an area of contention. Then, we talked about the litigation involving Merck & Co. over cyber attacks with a Russian connection, and we talked about the insurance industry tightening up policy wording as a result. The recent Lloyd’s announcement is in many respects a continuation of that trend.
We know it’s tricky for some organizations to get any cyber coverage at the moment, and we also know that premiums have been on the rise. For organizations, it’s a reminder that insurance isn’t the fix to everything. It also reinforces the need for organizations to shore up their own defenses. Sure, you have car insurance, but you also have a car alarm and maybe a tracker, and you lock the doors. Cyber policies are the same; you will have to take reasonable precautions to get covered, and even then your insurer won’t pick up the tab for everything.
The real issue with all of this however will be attribution: How can anyone be certain that an attack is state-sponsored? With specialist help, you can often say that there are indicators of nation-state involvement, but some cases we have been involved in prove to us that it’s hard to be certain. With North Korea, for example, it has been reported that North Korean IP addresses are not always used. In many cases, attackers will take over someone else’s systems to launch an attack and hide their tracks.
It’s these difficulties that are likely to lead to litigation. Once again, putting proper procedures in place will be key. To have a chance of getting attribution right, an organization will need proper and effective monitoring on its systems to assist in an investigation. It is also likely to need specialist help in analyzing that evidence. The time to prepare for an attack is before it happens, and some organizations will want to re-test their readiness plans in light of the need to gather this evidence to satisfy their insurers that a claim is in scope.
What about sanctions?
It could be that making a payment to a sanctioned individual or organization will be seen as prima facie evidence of state-sponsored involvement, depending on the nature and content of the sanctions announcement and the circumstances of the case. It is highly unlikely that any insurer will cover those payments. In all cases, it will be wise to do a sanctions check before making any payment, although as we have said, attribution will remain a difficult area and finding out who a ransomware demand is from is not an exact science either.
When does the change come in?
Lloyd’s does not require existing policies to change unless the expiry date is more than 12 months from March 31, 2023. With the way in which the market is tightening up, however, it is likely that anybody seeking to renew their policy from now on will see new terms being proposed. It will be important to look through the proposed terms and consider your risk and the steps you can take to reduce it.
What can we do?
As ever, the best strategy is to try to prevent attacks rather than relying on insurance to cover you when they do. There are some simple steps you can take to try to reduce the risk:
- Training and awareness are key. Make sure you are raising awareness of the current heightened risk with your employees and subcontractors.
- Make sure your cybersecurity stance recognizes the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done. Despite some current attacks bypassing multi-factor authentication (MFA), it remains important, especially since many insurers won’t cover you unless you have good MFA systems in place.
- Practice makes perfect. Breaches are inevitable, so preparation is a wise investment. This might include having good lawyers on standby, since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach.
- Look in detail at contracts with vendors and other third parties. You will need to look carefully at emphasizing your processors’ obligations to let you know immediately if they suspect a possible breach. In our view, audit rights are also important. Too often, organizations are vague about cause and effect, and it can take the exercise of audit rights to get proper information.
- You may also want to consider your position on ransomware payments and agree on a strategy in advance.
This article was first published at Cordery.com. It is republished here with permission.