Proposals by Lloyd’s of London to exclude state-sponsored cyber attacks from standard cyber insurance policies could lead to disputes between insurers and the businesses they insure, according to analyst at the international law firm RPC.
Lloyd’s has suggested that state-sponsored attacks are excluded from standard cyber insurance policies to reduce the insurance market’s exposure to these losses.
Insurance and reinsurance market leaders argue that state-sponsored attacks are likely to create the kind of systemic risk that could lead to massive losses that are difficult to quantify.
But Richard Breaveington, Head of Cyber and Tech Insurance at RPC, warns that there is still no clear method to establish whether a cyber attack is state-sponsored, meaning disputes can arise when the insurance claim is covered or not.
“The nature of cyber attacks means it is difficult to establish whether criminals are state-sponsored – any evidence that exists is likely to be in the hands of law enforcement agencies. This can lead to uncertainty and potential disputes,” he explained.
One solution could be for the UK Government to make a declaration whether an attack is state-sponsored or not, Breaveington said.
This method is specifically identified in the model clauses published by the Lloyd’s Market Association as a factor in assessing whether attacks can be shown to be state-sponsored.
“However, the UK Government may not want to accuse countries behind cyber attacks, particularly as they may come under public pressure to retaliate. GCHQ may not want to provide information that could show how they collect data,” Breavington
“Lloyd’s is understandably taking steps to manage the systemic risks of cyber attacks,” he added. “However, this creates a level of uncertainty that can lead to disputes.”