Insurance protections for organisations against cyberattacks is to undergo a major shakeup, after an announcement from the world’s leading underwriter.
Lloyd’s of London in a market bulletin told its insurers they will be required to stop covering nation state-backed cyberattacks in their standard cyber insurance policies.
It comes after many organisations over the years opted (against professional cyber advice), to pay hackers huge sums of money and claim on their cyber insurance policies, after experiencing a ‘cyber security incident’.
The question remains however is how many organisations actually experience a cyberattack from a hostile nation state or state actors, and not a cyber criminal gang, which are sometimes affiliated to hostile governments.
And the change will mean that the accurate identification of hackers will become even more important going forward.
Lloyd’s of London in its market bulletin noted that “market for coverage against cyber-attack losses has grown rapidly in recent years to become a significant class of business for insurers.”
The insurer warned that a large-scale cyberattack launched by a foreign power could expose underwriters to systemic risks, due to the damage such attacks can cause and their ability to spread on a widespread basis.
It also warned the risk is heightened by the world’s heavy reliance on digital infrastructure as it said the losses could go far beyond the market’s capacity.
“Lloyd’s remains strongly supportive of the writing of cyber-attack cover but recognises also that cyber related business continues to be an evolving risk,” the insurance marketplace said. “If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”
The organisation is now telling its underwriters to make exclusions for cyberattacks launched by governments and state actors.
“In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” it said.
“For this reason, we have consistently emphasised that underwriters need to be clear in their wordings as to the cover they are providing,” it added.
The new policy from Lloyd’s of London comes amid concern the world could see a major increase in cyberattacks amid the ongoing war in Ukraine, plus an increased threat from Russian hackers.
Lloyd’s said standalone cyberattack policies must include clauses excluding liability for losses arising from state-backed hacks, unless approved by Lloyd’s.
It said the new policy will come into effect in March 2023 or on renewal of each cyberattack policy.
The change has already drawn a reaction from cybersecurity specialists, incuding Paul Brucciani, cyber security advisor at cyber and privacy specialist WithSecure.
‘Lloyds’s of London exists to make money by underwriting risk,” noted Brucciani. “With profits already under pressure from the worldwide wave of ransomware claims, these have been exacerbated by the losses caused by cyberattacks precipitated by the Russian invasion of Ukraine. Even though Lloyd’s is no longer willing to underwrite losses arising from state-backed attacks, this is easier said than done.”
“Interpol Secretary General Jurgen Stock warned at the World Economic Forum in Davos, Switzerland, in May 2022 that nation-state malware could become a commodity on the dark web soon, making it much harder to distinguish criminal attacks from state-backed attacks,” noted Brucciani.
“Criminal actors could perform reverse engineering of military-made malicious code and use their own versions in attacks ‘in the wild’,” Brucciani added. “Nation-states with access to cyber weapons used in the conflict could also simulate ‘in the wild’ attacks, making the attribution impossible.”
“The cyber insurance market is hardening,” said Brucciani. “Companies seeking cyber insurance should look at it as a source of emergency finance to pay for specialist technical and professional services support.”
“Companies can significantly reduce their cyber security risk by doing the following,” Brucciani advised.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…