Podcasts

There was a cyber attack in Long Island last week. I don't know who the threat actor is, and we're not attributing it to anyone. But what I saw on the news here locally, Lynda, was that, "Wow, their 911 systems were down," and this and that system was down. The mayor's on TV saying the town is still functioning and everything is going on. You could still call 911. You can do this and that. So if there was hypothetically an attribution to a nation state to that attack, would you be able to trigger the exclusion? Because the town continued to function. They just started taking notes on 911 calls in paper. So I think the biggest issue is we need to agree on where that level of catastrophe lies. And then we talked about crafting the language around it.

Lynda Bennett: Dave, just to build on what you said there, what is enough for it to be deemed a state-backed attack? Is it when the town says, "And by the way, we think Russia was behind this," and there's no other proof or evidence of that? That's a place where I see fertile ground for coverage litigation. And it's a town, whether it's the US government or whether it's some threat actor that says we did this, but there's actually nothing to prove that they did it. They were just happy to claim credit after the fact.

I think that's where you're right. And as always is the case on don't take no for an answer. The devil's going to be in the details of the words, and as any good coverage lawyer would do, we'll be telling judges about the very high bar and heavy burden that insurers have to bear to prove that exclusionary language. But that's where I think the biggest gray area is going to come into this. What is a state-backed attack? How does the carrier prove that? How does the policyholder disprove that negative when the event happens, but you really don't know who is responsible for it?

David Anderson: Yeah, I think the other area here that concerns me, Lynda, and this is going to go so far into the assurance weeds. I hope no one's driving and listening to this podcast. NotPetya was very clearly attributed to Russia as a deliberate attack on Ukraine that just happened to get out of the box. We let out Pandora's box and it spread everywhere. WannaCry was clearly attributed to North Korea by various Western governments. Do those attributions by government entities rise to the level as required in this new mandate, which is a robust way to attribute to one or more nation states?

And then if they do indeed go there, if the government is attributing the attack to a nation state, is there somewhere where there has to be a trigger for the TRIA insuring clause? Lloyd's policies, just like US insurance policies affirmity, have the terrorism TRIA backstop built in on most of them, including cyber policies. Is there a discussion to be had there where the US has to step in because they've acknowledged that this is done by a nation state? I don't know. The devil is definitely in the details. And this is the thing that concerns me about this rollout. I understand the intent. I don't think it's being handled as clearly as it should be.

Lynda Bennett: Well, and whenever we're talking about intent, once again, that's music to the ears of any coverage lawyer because inevitably that one's going to wind up in court. One of the things that's sent that chill down my spine and looking at some of the sample language that London put out there back in November of 2021, there was language that said, "If there was no governmental attribution, the insurer's allowed to rely upon an inference which is objectively reasonable to attribution." So this is one where I really want to caution our listeners that you need to read this language, you need to work with your broker, you need to work with your outside coverage counsel when these policies are being negotiated, because getting an inference into an exclusion is not good news for a policy holder. So the next couple months are going to be really important to see what level of negotiation London's going to allow around this language or whether it's going to be far more top down. But go ahead, Dave.

David Anderson: I will tell you, Lynda, that the language that the LMA the London Market Association put out in 2021 was kind of laughed out of the room. Because that sort of language in a unilateral contract where we're going to decide whether or not it's covered at the point of claim, and we're also the adjudicator of that decision, doesn't fly under contract law anywhere in the United States. So I will tell you that all the policies that I have worked with, even since that 2021 list of four potential endorsements came out, did not carry that. Underwriters thought it was too unclear. Underwriters didn't want to put themselves in that position of having to adjudicate that coverage claim. And again, we go back to the original topic on our last episode of the US markets, kind of looked at that and said, "Competitive advantage, we don't have that on our language." So I think this is the next attempt at that. I don't know if we're going to be able to resolve any of the questions that you brought up around the 2021 language either because we don't have sample language yet.

Lynda Bennett: Yeah. So I think it's important for our listeners to be looking out for that and also to start giving consideration because this is such a seismic shift in the market. Start thinking about what experts you're going to rely on because the coverage litigation, as I said, we already have some around the war exclusion, and if the London market's really going to dig in on this, we're certainly going to have more going forward. Giving consideration to who your experts will be a very important consideration.

So I think we've touched on this a little bit, but one of the things that London talked about when they were bringing this change was they wanted to bring clarity and stability to this area of policies. So Dave, do you think that's actually going to happen or are these exclusions going to create more chaos and confusion than already exists in the market today?

David Anderson: I see two different paths here. First of all, the intent is to bring stability and that's admirable if not required in order for this market to continue to survive. So the stability aspect of it, I agree. Clarity, I don't think so. The reality of what's happening now and whether or not this becomes a larger question if US insurers start doing this. And I don't know if they will, I think they will if we have a rash of something coming out of Ukraine to be fair.

But if not, you have two different situations. You have sophisticated Fortune 500, FTSE 1000, whatever, pick your metric. You have sophisticated insurance buyers who A, have very, very skilled brokers, shameless plug like me, working on their contracts where even if we want to do business with Lloyd's on this despite the language, A, you have someone who's making this decision consciously with their eyes wide open or God I hope so and I hope it's being properly disclosed to them. That's a risk management decision that the broker and the client can make together. And depending on the price point, and the deductible, and how much limit you're buying, everything's always negotiable even in the London market. And I will bet you that for the right client, with the right controls, with the right story to tell, there might even be room for language that a specific Lloyd syndicate has written.

The thing that concerns me the most, and this is sort of a tragic reality of every sort of commercial contract, is the mom and pop buyers, the commodity buyers, people who are spending $2,000 or $3,000 on cyber premium because they're a two or three office doctor versus two or 3 million in cyber premium, either they're not going to know that this language is on there, and the agent, not even the broker that's giving them the coverage, doesn't know how to explain it and therefore doesn't know how to talk about it, and so they have this exclusion, or there's nowhere else for them to buy it.

Lloyd's has been really, really creative and supportive in building out NGAs and small business units that are high volume, low touch, but they always carry the worst exclusions. And so that's the thing that scares me is you're going to have a lot of people that may not get the benefit of this cover because they don't have a choice. And if you have another NotPetya or WannaCry situation where I think attribution is questionable at best as to who did it, you're going to have the insurers say, "Well, we think this with Russia, so we're going to avoid coverage on 10,000 policies for 10,000 mom and pop businesses." I think that's going to do a lot more harm than one or two Fortune 500 companies calling Lynda, your team, and going to court over coverage litigation.

Lynda Bennett: Well, and I think Dave, one of the other themes that you've talked about is, what these exclusions are ultimately going to come down to is intent, and is there a meaning of the mind as to what risk is covered and what risk is subject to the exclusion? And so one thing that I think is important for our listeners to be thinking about as you're going through your upcoming renewal, and this is coming into clear focus, is getting the intent from the London market or the insurers generally in writing.

Because again, as I start to think about preparing for my coverage litigation, getting things documented, and having carriers that will talk about intent orally until the cows come home, but that doesn't help you out when you're sitting in the coverage litigation. So when the carriers start to talk to me about intent, I always tell them, "Look, the words are what matter most. I see the words on the page that you've got for the exclusion, but if this is really your intent, I need that in an email. I need that to be communicated in writing so that we don't have problems later." And that may be the holy grail in all of this discussion, getting that intent written down before the claim comes in.

David Anderson: I agree with you completely. Just to be fair to our friends at Lloyd's, every carrier everywhere in the world has answered every coverage question I've made in writing with the same response, "The policy speaks for itself." So I don't think that you're ever going to get a written response, especially on something this juicy from a carrier. It goes back to what you said, which if we can't deduce intent, then we have to go back to create as much contract certainty as possible.

If I were broking a deal with this language and the underwriter said, "David, we have to put this endorsement together. So it needs to get on there." I want to define every single term in the policy, "state fact." What's a state? "Impairment," what does that mean? "Ability to function," define function. If we have all these terms and we can agree to what that means, it's going to be a painful process, but I think you get closer to intent lining up with contract certainty than you would just taking an off the shelf endorsement, which sometimes are left deliberately gray because they think that that's going to serve them better when it's time to adjust the claim.

Lynda Bennett: Right, which we call buying a lawsuit.

So Dave, we're just about out of time. We talked about a couple of proactive things that policy holders can do. Work with an excellent broker such as yourself, really try to pin the carrier down to the defined terms, as you just said, in the exclusion or in the policy language itself. As I mentioned, press like crazy to get as much in writing around intent if that's what you're going to keep hearing orally. Is there anything else that policyholder... Oh, and I should also mention obviously competitively market this coverage and tear and compare what the London offerings are versus what the US domestic market's offering.

Is there anything else that our listeners should be thinking about to better protect themselves once these exclusions are coming onto the policies?

David Anderson: I have a couple of ideas. So unfortunately, we're still in the pre-launch phase, if you can call it that, on this language. So once we get to that point, it's important for the buyer, whether you're risk manager, treasurer, CFO, whoever the decision maker is, know your markets. Know who you're working with. If you have a long-standing relationship, keep that in mind. If you have a cross product relationship, you're buying property, casualty, DNO, keep that in mind. You should do the best that you can to put yourself in the best position possible to negotiate. You just said it yourself; this sounds like you're buying a lawsuit. So we joke around by saying it's just the right to negotiate the loss. There's no way that we're going to get to a hundred percent certainty, at least in the short term. So this may mean that you as a risk manager are surgical in the insurers that you keep on your program, especially on the lower or primary layers where coverage determinations happen.

You also may want to engage coverage counsel, Lynda Bennett, to take a second look at the exclusions and provide their opinion. Cyber is a very expensive spend. Please, please, please don't treat this like a checkbox exercise. And you should hold your broker to the same standards of accountability in terms of helping you understand. I may not be able to change the language, but I will not let you operate under some sort of false assumption or delusion. Those are two different things.

Lynda Bennett: Fantastic. As always, David, you have given us a wealth of information, knowledge, and practical tips. Always doing it with your usual flare that makes you one of our favorite guests to have on the podcast. So thanks for joining us again, and we'll look forward to seeing you next time.

David Anderson: Thanks, Lynda. Always a pleasure.

Kevin Iredell: Thank you for listening to today's episode. Please subscribe to our podcast series at lowenstein.com/podcast or find us on iTunes, Spotify, Pandora, Google Podcasts and SoundCloud. Lowenstein Sandler podcast series is presented by Lowenstein Sandler and cannot be copied or rebroadcast without consent. The information provided is intended for a general audience and is not legal advice or a substitute for the advice of counsel. Prior results do not guarantee a similar outcome. The content reflects the personal views and opinions of the participants. No attorney/client relationship is being created by this podcast and all rights are reserved.