Another year, and another warning about the rise in ransomware and cyberattacks. What does that mean for insureds?
Ransomware trends
As an initial matter, it is worth noting the state of ransomware attacks overall. In early 2022, the Cybersecurity and Infrastructure Security Agency (CISA)
Nonetheless, there is promising news for 2022. Some cybersecurity firms have reported a drop in ransomware volume for the first half of 2022. One firm reported "a downturn in ransomware volume over the first quarter of 2022," with the positive trend reportedly continuing, "with ransomware attacks decreasing month-over-month throughout the
Does cyber insurance cover ransomware?
The short answer to whether
- The costs to investigate the attack
- The costs to remediate the attack
- The amount of the ransom (and costs to finance the payment)
- The income lost while the company is impacted by the ransomware and its after effects
- The extra expenses incurred to resolve the ransomware and get 100% back to business
Although Lloyd's of London does not seem ready to eliminate all insurance coverage for ransomware, policyholders should expect London market insurance carriers to try to limit coverage for ransomware.
Lloyd's issued a Market Bulletin on August 16, 2022, that requires insurance carriers to use a "state backed cyber-attack exclusion." This exclusion is supposed to apply to "all standalone cyberattack policies falling within risk codes CY and CZ"; those risk codes are "Cyber Security Data and Privacy Breach" and "Cyber Security Property Damage."
Lloyd's has stated:
At a minimum, the state-backed cyberattack exclusion must:
1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (subject to three) exclude losses arising from state backed cyberattacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
4. set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
5. ensure all key terms are clearly defined.
Lloyd's also issued four
It is not clear what the final insurance policy language will say for each carrier. As Lloyd's notes, model insurance clauses "are purely illustrative and are distributed for the guidance of [Lloyd's Market Association] members, who are free to agree to different conditions or amend as they see fit."
Lloyd's bulletin focuses on "liabilities arising from war and state backed cyber-attacks." Savvy policyholders might note that insurance policies often have so-called "war exclusions" already. So why the change?
One answer likely is that insurance carriers have been using old language, or slightly modified versions of old policy language, as their so-called war exclusions in cyber insurance policies for years. Those exclusions probably were not written for cyber-based claims.
The new language requirements are an example of history repeating itself. When the insurance industry faces new risks, it usually relies on old policy exclusions to try to avoid covering, and insurers often use clever coverage counsel to argue that the old policy terms apply to the new risks. At the same time, the insurance industry writes new exclusions that are advertised as specific to the new risk. That has happened more than once when it comes to insurance for cybersecurity and data privacy risks. As to
Notably, the fact that there are new exclusions should be further evidence that old exclusions do not apply clearly to certain cyber events. Many states recognize that when an insurance carrier could have used more specific or more clear language, but didn't, the carrier shouldn't be able to interpret the language that it did use expansively. A new exclusion suggests that the carriers could have used language that was more specific for these circumstances.
This new language has yet to be tested, but a key question likely will be whether the insurance carrier can prove that the cyberattack or
Final takeaways
First, note that these clauses are expected to be in new insurance policies from Lloyd's of London insurance carriers. There has not been an industry-wide pronouncement for U.S. insurance carriers.
Second, it is unclear how these clauses will apply, and as new language, they are untested. A best practice for policyholders is to analyze the language and facts closely, if a carrier tries to limit coverage by citing these new clauses.
Third, a best practice is to consider how the use of these clauses restricts coverage for scenarios that could be available under other insurance policies. It remains to be seen how this will affect the marketplace overall.
This article should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.