In its latest move to ensure that syndicates are appropriately addressing cyber exposures, Lloyd’s issued on August 16, 2022 Market Bulletin Y5381 -- “State backed cyber-attack exclusion” -- to require “legally reviewed” and “sufficiently robust” wordings in cyber policies to address both war and non-war state backed cyber-attacks. Lloyd’s noted that “exposure to cyber-attack losses has been an area of market focus in circumstances where the losses arise from attacks sponsored by sovereign states” and announced a requirement, effective March 31, 2023, for syndicates to include a state backed cyber-attack exclusion in stand-alone cyber policies at inception or upon renewal.
Lloyd’s announced these four requirements:
- exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
- (subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
- be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
- set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
- ensure all key terms are clearly defined.
Importantly, “given the complexities that can arise in drafting suitable exclusion clauses,” Lloyd’s also required that “managing agents must be able to show that these exclusions have been legally reviewed having regard to the interests of underwriters.” Lloyd’s also noted, however, that each of its previously-released Cyber War and Cyber Operation Exclusions meets the newly-announced requirements. Managing agents using other wordings must be able to demonstrate that their wordings meet the requirements set forth in the Bulletin.