Lloyd’s of London’s new requirement that all insurers issuing standalone cyber coverage exclude liability for any state backed cyber-attacks could present a systemic risk to the insurance market, raising questions of coverage in the event of a catastrophic event such as a cyber-attack between Russia and the U.S. Lynda A. Bennett, and her guest David Anderson CIPP/US, Partner explore options for obtaining coverage in the U.S. without such restrictive war exclusions, as well as ways to assess risk and work with underwriters on appropriate language to increase chances of coverage in case disaster strikes.
Lynda A. Bennett, Partner and Chair, Insurance Recovery
David Anderson CIPP/US, Partner, US Head of Cyber at McGill and Partners
READ THE TRANSCRIPT
Lynda Bennett: Welcome to Don't Take No for an Answer. I'm your host, Lynda Bennett, chair of the Insurance Recovery Practice here at Lowenstein Sandler, and I'm very pleased to be joined today by David Anderson, who's the partner and head of cyber at McGill and Partners. Today we're going to be talking about some recent changes in the cyber insurance market and what they might mean for policy holders here in the United States. So David, welcome back. So pleased to have you back with us on the show today. Thanks for joining me.
David Anderson: Oh, man, Lynda. Nothing makes me more excited and then nerding out over insurance with you, so I'm always happy to be a guest and thanks for having me on.
Lynda Bennett: All right, great. Well, so Dave, let me set the table a little bit of what we're going to be talking about today. In recent years, we've had cyber attacks carried out by or on behalf of national actors that have increasingly impacted companies in the United States and around the world. As you know, at first insurers base denials on the resulting claims under their war exclusions, but there has been somewhat of a seismic shift because at least one court has rejected a broad reading of that exclusion when it comes to cyber attacks. So as usual, Lloyd's of London is leading the way and has made a number of efforts to try to limit the scope of coverage for these acts. So in August, as you know, Lloyd's released its most recent effort requiring all of the insurers that participate in a London market issuing standalone cyber coverage to exclude liability for any state backed cyber attacks.
Lloyd's is requiring that every one of these exclusions have to include losses from a war, if it's not already an exclusion in the policy, and excluding losses from state backed cyber attacks and to be clear about whether coverage excludes computer systems outside of the state in which the act took place, and also to set out a robust basis for the parties to agree whether and how to attribute acts to a specific state. So as a result of that, every participant in the London market will be required to exclude this coverage regardless of who the policy holder is and the risk that's being insured. Now as you know, Dave, Lloyd's has admitted that this is a pretty significant change in the market and that it's being driven to prevent what it termed a systemic risk for insurers.
So we know that cyber attacks are now common and many of them are funded or supported by states even if they're not specifically carried out on their behalf. So let's just jump right in. Is Lloyd's correct that these types of state based tax present a systemic risk to the insurance market, Dave?
David Anderson: So this is not the first time that we've seen Lloyd's of London proactively respond to war related risks. Since 1937, when the Second World War was really starting to boil over, Lloyd's property policies excluded damage from war or bombs that resulted in fire on their property policies. In 1973, you had a really interesting case study of Pan Am Flight 93 in which the aviation war exclusion was tested. Again, that exclusion did fail in that case because the act of war as determined by the court was not between two sovereign entities, it was between a terrorist organization and the airline. The spirit of what Lloyd is trying to do and to be fair, Lynda, other insurers, it is logical. The implementation, God forgive me when my Lloyd's underwriters hear this, is definitely far from perfect and the reason for that is because the underlying issues are actually pretty complicated.
People are not looking to deliberately undermine cyber coverage. However, it is important to keep in mind that there is no way that the cyber insurance market globally, not just Lloyd's globally, could actually cover a direct cyber attack against United States or another sovereign nation from another nation state. If you have a cyber attack that results in a total failure of a country's electric grid or infrastructure or pick your other doomsday event, the cyber insurance market would be wiped out in instant. Unfortunately, nothing is ever that clean cut. The language is continuing to evolve, sometimes to the chagrin of brokers and policyholders, but it is an evolution that I think was going to happen whether we liked it or not because a true cyber attack between two great powers like Russia and the U.S., not an insurable event.
Lynda Bennett: Dave, that kind of reminds me of 9/11 and all of the coverage litigation that flowed from 9/11. Quite a reverberation across the entire insurance market from that. So Dave, what has been the reaction to this change by the London market here in the U.S. market? Are we seeing domestic insurers following suit or taking a bit more of a wait and see approach on how the market reacts to London's exclusion?
David Anderson: So the answer is mixed bag, and I'm going to reiterate that these are my opinions and mine alone, but I think that there is still an ability to procure coverage without the super restrictive terms that we're seeing come out of Lloyd's in the U.S. market. The U.S. market and the London market have always been pretty similarly aligned in how they underwrite risk, but the U.S. market, especially the large primary players, I'm not going to name them because I don't want to, and if you know who they are, that's great. The U.S. market has been a lot stricter, I think, in the beginning stages of the hard market on underwriting controls on a case-by-case basis, and therefore in my opinion, and frankly my experience of nine years doing this, anecdotally, the U.S. market has always been more focused on the individual policy holder's strengths around information security.
I'm not saying that Lloyd's of London isn't focused on that, but the U.S. tends to be more case by case. They tend to think that they can look at one given risk and identify how good the controls are. I've also liked to say that the U.S. insurers have tried to curtail their exposure to war-like risk with situations like NotPetya or Wannacry, but they haven't taken as prescriptive and broad brush of an approach as Lloyd's has with this language that may in the long term play out to their advantage in terms of growing their books.
Lynda Bennett: Dave, are you seeing your policyholders aware of this? Are they taking an extra careful look if London is one of the carriers that's offered in a renewal package to consider? Or are they not as up to speed on this very significant change in wording?
David Anderson: I think people are more up to speed on this than you would guess, Lynda. It is the topic de jour at all the cyber networking events, all the conferences, all the different thought leadership panels that we see sort of in the marketplace. Risk managers, I think, are genuinely concerned and so there is a decision-making mechanism that is being constructed within the brokerage community. I wouldn't say that it's scientific or precise, but it's more around making sure our clients understand the difference between a war exclusion on a U.S. insurance policy versus what will eventually be sort of a broad brush war exclusion on all Lloyd's policies, and it is very important that folks understand the difference between those policies. I also think that barring a catastrophic attack like a NotPetya 2.0 or something else that comes out of Putin's war in Ukraine, the U.S. will probably continue to be a little bit more flexible.
I think that they're, again, as I mentioned, way more focused on controls than they are sort of systemic risk. Not to say that they aren't focused on systemic risk, but they do think ... my experience has been if you have a plus cyber cybersecurity, resilience, backup strategy and all the sort of catastrophic exposures that people are worried about, you can still get "Cadillac coverage" in the U.S. without a very, very detrimental war exclusion. There is the concept of a cyber terrorism carved back that is still around on most policies that states that if a cyber attack is promulgated by a political entity, fine line between political entity and nation state, to advance their political views, religious views, whatever, it's going to be covered by the policy and that's way more clear on domestic policies, I'd say.
Lynda Bennett: So speaking in broad strokes though, Dave, are we seeing a difference in pricing and is that a competitive edge for the U.S. based insurers that are offering a bit broader coverage where maybe they can charge more, and is London suitably reflecting in its premiums the reduction in coverage that comes with its broader war exclusion?
David Anderson: I would say there is a bit of a price difference. I wouldn't say it's pronounced. I am seeing now as the coverages diverge a little bit between Lloyd's and other carriers, that the price for domestic policies is now a little bit more expensive than Lloyd's policies. There's a number of different factors in that, Lynda. The Lloyd's market is a lot more conservative now on underwriting biometric risk as well. They got hit pretty roughly under BIPA with that new law. They're a little bit more concerned about offering the broad supply chain interruption, cyber interruption coverage that the U.S. does. So there is a price difference, but the savvy risk manager that has a discussion and understands a tradeoff between lower costs and less exclusions will be able to make an informed decision as to how that coverage really dovetails against their risk. It is something that we ask our clients to actively think about because we still go to Lloyd's just like we still go to American insurers.
Lynda Bennett: So what are you seeing on the Lloyd's side? What's the reaction of the insurers and particularly those underwriters now that you're going back into the market? Are you seeing different information requests or requirements from the carriers?
David Anderson: I've heard two different sort of strategies going on across the pond. The first response, and this is where Don't Take No for an Answer really shines, is that folks have to be really aware of how much risk they're willing to take with the language that they're taking from the insurer. So there is a lot of uncertainty around how this language is going to hold up and while the edict has come down to the Lloyd's insurers and that edict on this topic will go live March 31st, 2023, I still have a hard time understanding how we're going to be able to parse out these exclusions. That being said, they're being pushed down.
The other response that I'm hearing from some of my colleagues across pond is very much in support of this strategy, believing that the war exclusion is really addressing a systemic risk that's not insurable. Is that an accurate perception of the situation? Sure. At 30,000 feet it is. I think that it needs to be a little bit more surgical than what's being done now, to be fair, and I'll probably get some hate mail for that one.
Lynda Bennett: Once the exclusions go into effect and you polish up your crystal ball, what are the most likely issues that you see arising either from an underwriting or a claims perspective once this wording's actually in the policy?
David Anderson: I think the first thing that's going to happen is the risk managers and their broker partners are going to really start pushing the underwriters to define and commit to what the words, actual words, they're putting in these exclusions need. You mentioned earlier when we talked about the four sort of data points that they're requiring, that definitions need to be clear and agreed upon. There was another point that I think is overlooked on this new exclusion, which is that the policy exclusion applies when a nation state is unable to function or is unable to defend itself. So I think the immediate side effect of these exclusions going on to policies, and remember, Lynda, every underwriter can use whatever language they want on the policy as long as it checks the box of the Lloyd's mandate.
The immediate result is going to be that brokers and their risk managers are going to be asking for clarity and clarification around what the intent of the language is. I don't think that they're going to get the answers that they're looking for, and that's not a dig against Lloyd's underwriters. Most underwriters will say to the broker, "It's your job to interpret coverage. The policy speaks for itself when you look at the language." That's result number one. It's not great. I think that's going to be an unfortunate reality.
Lynda Bennett: And boy, is that music to my ears, Dave, because it sounds like coverage litigations coming. Here it comes!
David Anderson: I think you're absolutely right and I think the second result is when this exclusion is tested in the marketplace, I wonder how much thought has been put into how this works in U.S. insurance law. It's a unilateral contract. The brilliant minds at Lowenstein Sandler understand that there is generally a little bit more favorability towards a policy holder when it comes to exclusions and unclear language. I think it's going to be messy and I think that people are going to be looking to set precedent or avoid setting precedent depending on what side of the fence you're on. The other thing that I would add, Lynda, if the precedent or the exclusions are leveraged in a way that results in a bad perception of the carrier or perhaps the entire industry, the cyber insurance industry, we're not doing ourselves any favors either. So I would be very careful if I was a syndicate looking to trigger this exclusion. I really would.
Lynda Bennett: Well, Dave, you know what? This is obviously very complicated and messy. One plug I want to give you, of course, is it's important for policy holders to be working with knowledgeable brokers, as you said a few minutes ago. Getting a meeting of the minds among the underwriters, the broker and the policy holder at the front end's going to be really important. So having somebody who's knee-deep in these issues every day, super important and you're obviously right there. But we've really just scratched the surface on this very important change that's coming in the cyber market, so I'd love to have you back to continue our conversation because we've got lots more to cover on this. So please come on back next time, but thanks for sharing your knowledge today.
David Anderson: Thanks, Lynda.
Kevin Iredell: Thank you for listening to today's episode. Please subscribe to our podcast series at lowenstein.com/podcast or find us on iTunes, Spotify, Pandora, Google Podcasts and SoundCloud. Lowenstein Sandler podcast series is presented by Lowenstein Sandler and cannot be copied or rebroadcast without consent. The information provided is intended for a general audience and is not legal advice or a substitute for the advice of counsel. Prior results do not guarantee a similar outcome. The content reflects the personal views and opinions of the participants. No attorney/client relationship is being created by this podcast and all rights are reserved.