Proposals by Lloyd’s of London to exclude state-backed cyber attacks from standard cyber insurance policies could lead to disputes between insurers and the businesses they insure, according to analysts at international law firm RPC.
Lloyd’s is proposing that state-backed attacks are excluded from standard cyber insurance policies to reduce the insurance market’s exposure to these losses.
Leaders at the insurance and reinsurance marketplace argue that state-backed attacks are likely to create the kind of systemic risk that could lead to large losses that are difficult to quantify.
But Richard Breavington, Head of Cyber and Tech Insurance at RPC, warns that there is still no clear method for establishing if a cyber attack is state-backed, meaning disputes could arise over whether the insurance claim is covered or not.
“The nature of cyber attacks means it is going to be hard to establish whether criminals are backed by the state – any evidence that exists is likely to be in the hands of law enforcement agencies. This could lead to uncertainty and potential disputes,” he explained.
One solution could be for the UK Government to make a declaration as to whether an attack is state-backed or not, Breavington notes.
This method is specifically identified in the model clauses published by the Lloyd’s Market Association as a factor in assessing whether attacks can be shown to be state-sponsored.
“However, the UK Government might be unwilling to accuse countries of backing cyber-attacks, not least as they may come under public pressure to retaliate. GCHQ is unlikely to want to provide information that might show how they gather data,” Breavington
“It is understandable that Lloyd’s is taking steps to manage the systemic risks of cyber attacks,” he added. “However, this does it with a degree of uncertainty which could lead to disputes.”