Insurers Stake Out Their Ground for Covering State Cyber Attacks
Insurance exclusions wording is often unnoticed but it grabbed unusual attention in Nov. 2021 when Lloyd’s of London applied the arcane legal terms of insurance contracts to a set of conditions to insure 'cyber war' and nation state cyber operations. Regrettably, much of the commentary by cyber security and technology policy experts suggested that the clauses had been interpreted as a legalistic trick for insurers to avoid paying claims. Instead, these clauses represent an important development that should remove one of the major impediments to the growth of cyber insurance. They also provide insights that should be of interest beyond the insurance sector; in crafting the exclusions, insurers have applied a business perspective to some of the strategic themes in the governance of cyberspace, such as attribution of state operations, the balance of responsibility between the public and private sectors in generating resilience and norms of state conduct.
The impetus came from longstanding recognition that existing exclusions for war are inadequate to capture nation-state activity in cyberspace, coupled with scrutiny from regulators and the warning provided by litigation over insurance claims stemming from the NotPetya attack—(which were made under property insurance policies that were ambiguous on whether a cyber event was covered, and were denied by insurers based on a war exclusion clause). Carnegie published a detailed analysis of the topic in 2020 which recommended that insurers “should aim for clarity and practicability, while also defining a manageable zone of coverage.” The published exclusions are an admirable effort to meet that standard, although further work will be needed to enable insurance to play more than a marginal role in managing cyber risk.
Grappling with Uncertainty
The purpose of these exclusions is to provide a template that has broad support among insurers, creating clarity and consistency in policy wordings for customers while affording insurers greater certainty in estimating their potential liabilities. The Lloyd's market is an important element of the global insurance sector and other insurers around the world will likely adopt the exclusions directly, or use them as a reference point for their own measures. The adoption of such wordings is driven by market forces (such as the negotiation of premium for particular cover, and insurers’ appetite to accept different levels of risk), meaning that exclusions can be amended or omitted on a case-by-case basis. In drafting them, insurers aim to strike a balance between the needs of clients while satisfying the expectations of investors, regulators, credit rating agencies and reinsurers (who provide insurance for insurers) .
This balance has proven especially difficult to find in the context of insurance for cyber events. The potential for insurance to make an important contribution to the management of cyber risk has been recognized for some time, yet it has been constrained by significant impediments. The heart of the challenge facing insurers is not necessarily the quantum of loss that might arise from cyber events, but rather the uncertainty that attaches to it.
By way of illustration, insurers can provide billions of dollars of insurance cover for properties on the East Coast that are exposed to severe windstorm risk. They are able to do this because they have confidence in probabilistic estimates of the likelihood and severity of windstorms, enabling them to manage their exposure at a level they can sustain. European regulators require insurers to hold capital sufficient to pay claims against a 1-in-200 (or 0.5 percent probability) loss experience in any given year. Thanks to mature science, rich data and well developed (although continually improving) risk modeling, insurers have confidence in estimating their exposure to a 1-in-200 hurricane season on the East Coast of the U.S. Contrast that with the uncertainty involved in estimating the impact of a 1-in-200 year of losses from cyber events, which results in insurers restricting the amount of cover they offer for cyber risk, far below that which clients might want.
This is an example of “catastrophe” losses, resulting from low probability, high impact events. Since 2020, insurers have seen a major increase in losses from ransomware, causing them to increase premiums and impose stricter conditions on cover—examples of “attritional” losses, which are higher probability and lower impact. Attritional losses affect insurers’ profitability, while catastrophe losses could threaten their solvency.
The specter of nation-state cyber operations creating very widespread harm among businesses and organizations in every sector across the globe has been one of the primary sources of uncertainty dampening insurers’ ability to cover cyber risk. Occupying the top end of the capability spectrum, and demonstrating the intent to deploy those capabilities against civilian targets of all types for objectives ranging from espionage to disruption, information warfare,and theft, nation-state threat actors exert great influence on insurers’ calculations of the cyber risk landscape.
Most insurance products exclude war, or only cover it in tightly defined circumstances, owing to its potential to create a massive accumulation of losses which would bankrupt insurers; its definition for insurance cover has evolved, often in response to legal challenges. In crafting cover for cyber events, insurers relied on established wordings to describe the nature of war, one of which was introduced in 1938 in response to the demonstration of the destructive potential of airpower in the Spanish Civil War. The advent of offensive cyber operations for national strategic aims has forced insurers to consider another paradigm shift in the concept of war, albeit one whose implications are not fully understood.
Against this background, the new exclusions were designed to afford insurers flexibility, while introducing innovative concepts to match the nature of the risk. They are structured to provide several coverage options, ranging from no cover for any cyber operation attributed to a nation-state (Exclusion 1) to cover of any nation-state cyber operation so long as it does not occur within a situation of war or retaliatory operations between major powers, or result in serious detrimental impact to the functioning of a state (Exclusion 4). The diagram below shows how the exclusions relate to each other (for illustrative purposes only; it is not intended to speculate on actual levels of insurance provision):
Figure 1. A diagram depicting how the different exclusions allow increasing insurance coverage of nation-state cyber operations while limiting insurers’ exposure to the highest impact events.
The provision of different options could provide a firmer foundation for market forces to operate and propel innovation in insurance. The uptake of the different exclusions will be determined by insurers’ appetite to assume different levels of risk, and clients’ willingness or ability to pay for different levels of cover. This should incentivize clients and insurers to examine the risk of nation-state cyber operations in more detail, thus reducing uncertainty and, ultimately, generating premium and cover which is more carefully calibrated to the risk. If this process functions effectively, it results in accurate “risk reflective” insurance premium, creating pricing signals that can be a powerful incentive for clients to invest in risk management, while insurers gain the confidence to offer greater levels of cover. The development of clear exclusions cannot address all the sources of uncertainty that could impede this process, but it is an important foundation of an effective market for insurance.
While the new exclusions clarify many points of coverage, they still include terminology that could be open to challenge, particularly that of “retaliatory cyber operations” between the “specified states” of China, France, Germany, Japan, Russia, the U.K. and the U.S. It envisages that cyber attacks could be employed as a strategic tool of escalation, without recourse to the “physical force” required by the exclusion’s definition of “war,” resulting in major economic harm beyond the capacity of insurers to bear. The selection of states appears to be driven by the potential scale of insurance losses, but the inclusion of China and Russia (where much less insurance is purchased from Lloyd’s and Western insurance providers) indicates that it was also influenced by the national capability for offensive cyber operations coupled with the potential for geopolitical confrontation.
This formulation could encounter problems because the utility of cyber power for achieving strategic aims, particularly its capacity for coercion, is highly contested. States are at an early stage of developing doctrines and strategies for the use of cyber power, and they might actively seek ambiguity in their conduct of cyber operations. A “retaliatory” cyber operation might, therefore, be much harder to prove than insurers imagine.
Insurers would probably prefer not to define specific circumstances that need to be excluded and instead base their exclusions on the scale of impact (whatever the cause)— protecting their solvency without having to prove a specific chain of events. The problem is the absence of a commonly accepted scale to assess the impact of cyber events—there is no cyber Mercalli scale. Instead, insurers have attempted to define the minimum set of high-impact events they believe they must protect their balance sheets from.
The requirement to make the cover relevant to clients also surfaces a set of deeper issues related to the changing nature of risk. When previous war exclusions were drafted, assets needing protection and the risks they faced were usually tangible, readily measurable and relatively static. Today, the opposite is true. The wording of Exclusion 4 includes several innovative features that suggest insurers are finding ways to embrace the world of interconnected, intangible dynamic risk:
- Speed and source of attribution: the insurance cover depends on the attribution of an attack to a nation-state, but it recognizes that victims need a level of certainty around when or if an attribution will occur beyond that which official bodies have demonstrated thus far. If the government of the targeted state is slow or unwilling to issue an attribution, the onus will be on insurers to establish attribution using whatever “objectively reasonable” evidence is available.
- Secondary victims: whether by design or accident, nation-state cyber operations carry a significant potential to create impacts far beyond their initial target. The cascading effects of cyber disruptions are hard to quantify, but they are a strategic risk management problem for insurers’ clients. The creation of a concept of “bystanding cyber asset” allows cover for the unintended victims of major disruptive attacks (not qualifying as war or retaliation between major powers), located outside a state which has suffered major disruption.
- Focus on effects, not things: insurers generally seek to limit their exposure to the effects of a mass outage of critical infrastructure, owing to its potential for unsustainable losses. For economies undergoing digital transformation and who are increasingly dependent on common technologies and networks, the distinction of what constitutes “critical infrastructure” is blurred. New technologies, coupled with broader adoption and deeper integration, are creating a profusion of nodes and pathways through which systemic disruption could be amplified and transmitted. The response was to create an exclusion based on major impact to an “essential service”—recognizing that economies are developing critical dependencies which are poorly understood.
These innovations are important steps forward in making cyber insurance relevant to risk in the 21st century. Nevertheless, they address just one potential source of high-impact cyber events. Buyers of insurance ultimately want protection from loss, with as few caveats as possible on its cause. The Carnegie analysis proposed an exclusion based on a concept of “cyber catastrophe” which would allow cover more closely aligned to harmful effects whatever the cause , while establishing limits of insurers’ liability. Though a complex undertaking, it is the path forward to making insurance truly valuable for risk management and resilience in the digital age.
Public-private partnerships: catastrophic risks are often the subject of public-private partnerships (PPP), in which the private insurance market absorbs losses to a defined limit, beyond which public funds take over. These mechanisms are generally designed to increase the limits of cover and/or extend the provision of insurance. They serve public policy aims by incentivizing risk management (through premium levels and insurability criteria) and creating resilience through automatic financing of losses beyond that which the private insurance market can bear. The prospect of a PPP for cyber insurance has been raised in the U.S. by the Cyberspace Solarium Commission and by some within the cyber insurance sector. The challenge in the context of cyber risk is that such mechanisms have generally emerged in response to a “market failure”—that is the wholesale withdrawal of private insurance following a catastrophic event, or the exclusion of sections of society because of affordability or risk factors. As it stands, cyber risk lacks the impetus of a market failure and, as a result, there is no consensus around the need for, or the structure of, a PPP for cyber insurance. A further complication arises with the transnational nature of cyber risk, which limits the efficacy of measures by individual national governments.
Nevertheless, the cyber war exclusions are a stake in the ground planted by one of the major sources of private insurance. It clarifies that major disruptions to critical services resulting from nation-state cyber operations will not be covered by insurance. As economies digitize, such events could be more damaging (at least in economic terms) than many risks which are covered by insurance PPP, such as natural catastrophes or terrorism. What distinguishes those risks from cyber risk is a greater confidence in quantifying the risk, and the fact that experience of catastrophic harm catalyzed action. If governments accept that economic wellbeing and the provision of essential services increasingly depend on the management of cyber risk, it would be prudent to investigate the feasibility of a PPP for cyber insurance before the requirement is revealed by a catastrophic event.
Attribution: an interesting dimension of the exclusions is that they provide a clear private sector “user case” for attribution of nation-state cyber operations. They add a commercial perspective to academic analysis of the requirement for coherence in why, when and how governments make an attribution. The danger is that it could generate a market for attributions that trade accuracy for speed. This would create a legal problem for insurers, who have the onus to “prove attribution” and would have to judge what level of evidence constitutes proof amid the time pressure to provide support to clients.
It could also create far-reaching diplomatic consequences. China and Russia already reject the legitimacy of attribution of cyber operations issued by the U.S. and allied governments, viewing it as a deeply political, destabilizing exercise. Insurers should proceed with caution and work with cyber policy experts to develop methodologies to bolster the credibility of attributions. Consistency and clarity in the language used to describe the quality of intelligence and technical evidence which underlies a judgment of culpability is essential. An intensification of private sector attributions that watered down the evidentiary standard to meet time constraints could undermine the general concept of attribution while causing strategic harm to interstate relations.
Normative frameworks: the war exclusions also create a complementary, market-oriented approach to the development of global norms and international law on state cyber operations. The two processes initiated at the UN for agreeing on norms of state conduct in cyberspace both achieved consensus with public reports issued in 2021, marking a notable milestone. Nevertheless, states currently exercise power in cyberspace with far greater impunity than any other domain. This is to be expected to some degree, given the relative newness of the cyber domain compared to air, land, sea and even space. With the cyber war exclusions, insurers are attempting to gain some control over the relative uncertainty generated by anarchy in cyberspace. Insurers have drawn a line for the level at which a state cyber operation will breach one of the mechanisms society relies on for resilience to extreme events. It should be recognized as an additional signal of the need for operationalization and implementation of the norms emerging from the UN.
Cyber capacity building: insurance has been integrated into multi-stakeholder initiatives to build resilience in vulnerable communities and developing countries in the context of natural disaster risk. Innovations such as microinsurance and parametric risk solutions have been applied in a wide range of contexts to enable more of the world to take advantage of insurance protection. As insurers build confidence in covering cyber risk, they should lend their expertise to the growing range of efforts, coordinated by the Global Forum for Cyber Expertise, to develop capacity for cyber resilience worldwide.
Insurance will not be “the answer’” to cyber risk. But it should offer a valuable, distinctive contribution to cyber risk management and resilience, as it does in other classes of risk. Uncertainty on the potential liability from nation-state cyber attacks has dragged on the growth of cyber insurance, and the new exclusions represent an important development that should bolster insurers’ confidence in their ability to accept cyber risk within sustainable limits. Though these new exclusions demonstrate that insurers can respond to the changing nature of risk, they are not perfect.
The exclusions demonstrate the potential for market-based mechanisms to translate strategic themes in the governance of cyberspace, such as public attribution of state attacks and global norms of conduct, into practical incentives. The challenge for insurers and public policy makers is to use this development as a foundation to further enhance the relevance of insurance to the risks emerging in digitally-dependent societies.
With thanks to Julian Miller, Partner, DAC Beachcroft.