Skip to main content
banner image
venafi logo

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

August 30, 2022 | Larry Seltzer

If Lloyds’s exclusion of coverage for state-sponsored attacks is the future for cybersecurity insurance, then the value of that insurance may be diminished.

Machine identity is essential for security. Find out how Venafi can help.
Cyber related businesses are ‘evolving risk’

Lloyds of London Ltd. issued a market bulletin dated August 16, 2022 setting out new rules for standalone cyber-attack policies that would exclude coverage for damages from state-sponsored attacks.

The bulletin offers guidance on how to make the exclusions to “…all standalone cyber-attack policies falling within risk codes CY (‘Cyber Security Data and Privacy Breach’) and CZ (‘Cyber Security Property Damage’).

"Lloyd’s remains strongly supportive of the writing of cyber-attack cover[age] but recognises also that cyber related business continues to be an evolving risk...[and] that losses have the potential to greatly exceed what the insurance market is able to absorb,” the guidance says. 

The new requirements set forth by Lloyds include excluding “losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.”

Gray areas

Lloyds is a London-based insurance and reinsurance marketplace where financial backers gather to pool and spread risk. With a reputation for insuring anything, such as Betty Grable’s legs and Bruce Springsteen’s voice, it’s hardly surprising that policies for damage from cyber-attacks were for sale at Lloyds.

It’s not clear how big a role the Ukraine-Russia war played in this decision. As the bulletin says, damages due to an actual “kinetic” war were always in a separate class of claim. But what is a war these days? In 2007, Estonia was subjected to a massive cyberattack which they blamed on Russia. No war was declared, and Russia denied involvement. Russia was also blamed by the U.S. government for cyberattacks on U.S. interests in the 2016 elections. But the U.S. is not at war with Russia.

Situations like Estonia and Ukraine pose a major problem for such policies: How do the parties establish that the attack was state sponsored? The bulletin says that the now-required exclusion language must “…set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states."

This kind of language could lead to disputes over coverage.

For example, in the Ukraine-Russia war, most of the attacks have been attributed to Russian government entities, according to a report from the Center for Strategic and International Studies.

“Chiefly the GRU, Russia’s military intelligence service, which has a history of using disruptive cyberattacks. In a few cases, proxy groups (such as the leading ransomware group Conti) were also involved,” the report said.

Disputes could arise if it’s not clear where these attacks originated or the actual intention. Does the attack come from government actors or is it simply criminal syndicates seeking cash? Or private parties acting out of “patriotism.” 

The Lloyd’s bulletin also draws no distinctions in the type of attack. The attacks on Estonia were DDOS attacks that brought down Internet infrastructure and major websites in the country. These attacks have also been used in the Ukraine-Russia dispute.

If you have cybersecurity insurance and, whether it’s through Lloyds or not, such exclusions are the way of the future, what can you do?

Nobody would ever recommend that you rely on insurance as a primary method of cybersecurity; it’s supposed to be there only if all your defensive technical and business practices fail. But if cybersecurity insurance becomes less valuable, you may want to divert budget from it to strengthen best security practices. There’s always more to do with best practices.

Best Practices

These best practices are well-known and effective:


Related Posts

Like this blog? We think you will love this.
Featured Blog

North Korea Cyber Threat Group ‘Lazarus’ Targets M1 Mac with Signed Executables

M1 MacBook and Intel

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Larry Seltzer
Larry Seltzer

Larry Seltzer, Technical Content Writer, Venafi

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more