Lynda A. Bennett, chair of Lowenstein’s Insurance Recovery practice, continues her conversation with David Anderson, partner and head of Cyber at McGill and Partners, about changes to the London Market’s cyber insurance policy form that significantly expands the scope of its war exclusion by including not only formal declarations of war, but also nation state-backed cyber-attacks. Lynda and David explore how stakeholders reach consensus on the definitions of such terms as “insurable events,” “state-backed attacks,” or “ability to function”; and how policyholders should proceed in anticipation of other insurers reacting to London’s expansion of this exclusion.
Lynda A. Bennett, Partner and Chair, Insurance Recovery
David Anderson CIPP/US, Partner, US Head of Cyber at McGill and Partners
READ THE TRANSCRIPT
Lynda Bennett: Welcome to, Don't Take No For an Answer. I'm your host, Lynda Bennett, chair of the Insurance Recovery Practice here at Lowenstein Sandler. And I'm very pleased to welcome back David Anderson, who is partner and head of Cyber at McGill and Partners. And we're continuing a conversation we had last time looking into the significant change that the London market has made to its cyber form to significantly broaden the scope of its war exclusion, to include not only formal declarations of war, but also nation state-backed cyber attacks. So welcome back, Dave, very happy to have you back with us today.
David Anderson: Happy to be back, Lynda. I love this topic and I just love chatting with you.
Lynda Bennett: All right, well, thanks so much for that. Dave, as you know, last time we were talking about the change that the London market's making to its cyber form that's going to take effect in March of 2023. It really relates to state-based attacks, and we talked last time about what impact that had on the market, both in London as well as in the US. Today we'd like to do a little bit of a deeper dive into what's going to happen when these exclusions are actually on the policy. What are the pressure points of disagreement that are inevitably going to come to exist?
And one of the things that's really been on my mind is pinning down what it means to be a state-based attack. I've talked about this in the past, and there's a big difference between a formal declaration of war where you can pin down the date and the time and the reason for same, versus these cyber attacks that seem to happen behind very dark, closed-door kind of conversations. So, what are we going to see and how can we get a greater meeting of the minds among the underwriters, the brokers, and the policyholders on what is a state-backed attack?
David Anderson: I think that, ultimately, we have to see what language comes out from the underwriters, Lynda. As you alluded to in our last meeting, there are five different parameters that Lloyd's is pushing. Exclusion for war if it's not already there, exclusion for state-backed attacks that impair the ability of a country to function or defend itself, clear as to which computer systems are covered, a basis on the definitions, and an attribution. Those are just guidelines. So I haven't even seen a single proposed exclusionary endorsement from any of the Lloyd's underwriters.
I think what we need to do as an industry is take a step back and understand how we can better frame the intent of what's trying to be done here. We mention on the last episode, Russia attacking the United States and taking out the internet or vice versa is factually not an insurable event with how much premium we have in the marketplace. But if that's all that we're worried about, we really need to have a better answer to some of the words that are included in these recommendations. For example, the significant impairment of a state to function is one of the triggers for the exclusionary language.
There was a cyber attack in Long Island last week. I don't know who the threat actor is, and we're not attributing it to anyone. But what I saw on the news here locally, Lynda, was that, "Wow, their 911 systems were down," and this and that system was down. The mayor's on TV saying the town is still functioning and everything is going on. You could still call 911. You can do this and that. So if there was hypothetically an attribution to a nation state to that attack, would you be able to trigger the exclusion? Because the town continued to function. They just started taking notes on 911 calls in paper. So I think the biggest issue is we need to agree on where that level of catastrophe lies. And then we talked about crafting the language around it.
Lynda Bennett: Dave, just to build on what you said there, what is enough for it to be deemed a state-backed attack? Is it when the town says, "And by the way, we think Russia was behind this," and there's no other proof or evidence of that? That's a place where I see fertile ground for coverage litigation. And it's a town, whether it's the US government or whether it's some threat actor that says we did this, but there's actually nothing to prove that they did it. They were just happy to claim credit after the fact.
I think that's where you're right. And as always is the case on don't take no for an answer. The devil's going to be in the details of the words, and as any good coverage lawyer would do, we'll be telling judges about the very high bar and heavy burden that insurers have to bear to prove that exclusionary language. But that's where I think the biggest gray area is going to come into this. What is a state-backed attack? How does the carrier prove that? How does the policyholder disprove that negative when the event happens, but you really don't know who is responsible for it?
David Anderson: Yeah, I think the other area here that concerns me, Lynda, and this is going to go so far into the assurance weeds. I hope no one's driving and listening to this podcast. NotPetya was very clearly attributed to Russia as a deliberate attack on Ukraine that just happened to get out of the box. We let out Pandora's box and it spread everywhere. WannaCry was clearly attributed to North Korea by various Western governments. Do those attributions by government entities rise to the level as required in this new mandate, which is a robust way to attribute to one or more nation states?
And then if they do indeed go there, if the government is attributing the attack to a nation state, is there somewhere where there has to be a trigger for the TRIA insuring clause? Lloyd's policies, just like US insurance policies affirmity, have the terrorism TRIA backstop built in on most of them, including cyber policies. Is there a discussion to be had there where the US has to step in because they've acknowledged that this is done by a nation state? I don't know. The devil is definitely in the details. And this is the thing that concerns me about this rollout. I understand the intent. I don't think it's being handled as clearly as it should be.
Lynda Bennett: Well, and whenever we're talking about intent, once again, that's music to the ears of any coverage lawyer because inevitably that one's going to wind up in court. One of the things that's sent that chill down my spine and looking at some of the sample language that London put out there back in November of 2021, there was language that said, "If there was no governmental attribution, the insurer's allowed to rely upon an inference which is objectively reasonable to attribution." So this is one where I really want to caution our listeners that you need to read this language, you need to work with your broker, you need to work with your outside coverage counsel when these policies are being negotiated, because getting an inference into an exclusion is not good news for a policy holder. So the next couple months are going to be really important to see what level of negotiation London's going to allow around this language or whether it's going to be far more top down. But go ahead, Dave.
David Anderson: I will tell you, Lynda, that the language that the LMA the London Market Association put out in 2021 was kind of laughed out of the room. Because that sort of language in a unilateral contract where we're going to decide whether or not it's covered at the point of claim, and we're also the adjudicator of that decision, doesn't fly under contract law anywhere in the United States. So I will tell you that all the policies that I have worked with, even since that 2021 list of four potential endorsements came out, did not carry that. Underwriters thought it was too unclear. Underwriters didn't want to put themselves in that position of having to adjudicate that coverage claim. And again, we go back to the original topic on our last episode of the US markets, kind of looked at that and said, "Competitive advantage, we don't have that on our language." So I think this is the next attempt at that. I don't know if we're going to be able to resolve any of the questions that you brought up around the 2021 language either because we don't have sample language yet.
Lynda Bennett: Yeah. So I think it's important for our listeners to be looking out for that and also to start giving consideration because this is such a seismic shift in the market. Start thinking about what experts you're going to rely on because the coverage litigation, as I said, we already have some around the war exclusion, and if the London market's really going to dig in on this, we're certainly going to have more going forward. Giving consideration to who your experts will be a very important consideration.
So I think we've touched on this a little bit, but one of the things that London talked about when they were bringing this change was they wanted to bring clarity and stability to this area of policies. So Dave, do you think that's actually going to happen or are these exclusions going to create more chaos and confusion than already exists in the market today?
David Anderson: I see two different paths here. First of all, the intent is to bring stability and that's admirable if not required in order for this market to continue to survive. So the stability aspect of it, I agree. Clarity, I don't think so. The reality of what's happening now and whether or not this becomes a larger question if US insurers start doing this. And I don't know if they will, I think they will if we have a rash of something coming out of Ukraine to be fair.
But if not, you have two different situations. You have sophisticated Fortune 500, FTSE 1000, whatever, pick your metric. You have sophisticated insurance buyers who A, have very, very skilled brokers, shameless plug like me, working on their contracts where even if we want to do business with Lloyd's on this despite the language, A, you have someone who's making this decision consciously with their eyes wide open or God I hope so and I hope it's being properly disclosed to them. That's a risk management decision that the broker and the client can make together. And depending on the price point, and the deductible, and how much limit you're buying, everything's always negotiable even in the London market. And I will bet you that for the right client, with the right controls, with the right story to tell, there might even be room for language that a specific Lloyd syndicate has written.
The thing that concerns me the most, and this is sort of a tragic reality of every sort of commercial contract, is the mom and pop buyers, the commodity buyers, people who are spending $2,000 or $3,000 on cyber premium because they're a two or three office doctor versus two or 3 million in cyber premium, either they're not going to know that this language is on there, and the agent, not even the broker that's giving them the coverage, doesn't know how to explain it and therefore doesn't know how to talk about it, and so they have this exclusion, or there's nowhere else for them to buy it.
Lloyd's has been really, really creative and supportive in building out NGAs and small business units that are high volume, low touch, but they always carry the worst exclusions. And so that's the thing that scares me is you're going to have a lot of people that may not get the benefit of this cover because they don't have a choice. And if you have another NotPetya or WannaCry situation where I think attribution is questionable at best as to who did it, you're going to have the insurers say, "Well, we think this with Russia, so we're going to avoid coverage on 10,000 policies for 10,000 mom and pop businesses." I think that's going to do a lot more harm than one or two Fortune 500 companies calling Lynda, your team, and going to court over coverage litigation.
Lynda Bennett: Well, and I think Dave, one of the other themes that you've talked about is, what these exclusions are ultimately going to come down to is intent, and is there a meaning of the mind as to what risk is covered and what risk is subject to the exclusion? And so one thing that I think is important for our listeners to be thinking about as you're going through your upcoming renewal, and this is coming into clear focus, is getting the intent from the London market or the insurers generally in writing.
Because again, as I start to think about preparing for my coverage litigation, getting things documented, and having carriers that will talk about intent orally until the cows come home, but that doesn't help you out when you're sitting in the coverage litigation. So when the carriers start to talk to me about intent, I always tell them, "Look, the words are what matter most. I see the words on the page that you've got for the exclusion, but if this is really your intent, I need that in an email. I need that to be communicated in writing so that we don't have problems later." And that may be the holy grail in all of this discussion, getting that intent written down before the claim comes in.
David Anderson: I agree with you completely. Just to be fair to our friends at Lloyd's, every carrier everywhere in the world has answered every coverage question I've made in writing with the same response, "The policy speaks for itself." So I don't think that you're ever going to get a written response, especially on something this juicy from a carrier. It goes back to what you said, which if we can't deduce intent, then we have to go back to create as much contract certainty as possible.
If I were broking a deal with this language and the underwriter said, "David, we have to put this endorsement together. So it needs to get on there." I want to define every single term in the policy, "state fact." What's a state? "Impairment," what does that mean? "Ability to function," define function. If we have all these terms and we can agree to what that means, it's going to be a painful process, but I think you get closer to intent lining up with contract certainty than you would just taking an off the shelf endorsement, which sometimes are left deliberately gray because they think that that's going to serve them better when it's time to adjust the claim.
Lynda Bennett: Right, which we call buying a lawsuit.
So Dave, we're just about out of time. We talked about a couple of proactive things that policy holders can do. Work with an excellent broker such as yourself, really try to pin the carrier down to the defined terms, as you just said, in the exclusion or in the policy language itself. As I mentioned, press like crazy to get as much in writing around intent if that's what you're going to keep hearing orally. Is there anything else that policyholder... Oh, and I should also mention obviously competitively market this coverage and tear and compare what the London offerings are versus what the US domestic market's offering.
Is there anything else that our listeners should be thinking about to better protect themselves once these exclusions are coming onto the policies?
David Anderson: I have a couple of ideas. So unfortunately, we're still in the pre-launch phase, if you can call it that, on this language. So once we get to that point, it's important for the buyer, whether you're risk manager, treasurer, CFO, whoever the decision maker is, know your markets. Know who you're working with. If you have a long-standing relationship, keep that in mind. If you have a cross product relationship, you're buying property, casualty, DNO, keep that in mind. You should do the best that you can to put yourself in the best position possible to negotiate. You just said it yourself; this sounds like you're buying a lawsuit. So we joke around by saying it's just the right to negotiate the loss. There's no way that we're going to get to a hundred percent certainty, at least in the short term. So this may mean that you as a risk manager are surgical in the insurers that you keep on your program, especially on the lower or primary layers where coverage determinations happen.
You also may want to engage coverage counsel, Lynda Bennett, to take a second look at the exclusions and provide their opinion. Cyber is a very expensive spend. Please, please, please don't treat this like a checkbox exercise. And you should hold your broker to the same standards of accountability in terms of helping you understand. I may not be able to change the language, but I will not let you operate under some sort of false assumption or delusion. Those are two different things.
Lynda Bennett: Fantastic. As always, David, you have given us a wealth of information, knowledge, and practical tips. Always doing it with your usual flare that makes you one of our favorite guests to have on the podcast. So thanks for joining us again, and we'll look forward to seeing you next time.
David Anderson: Thanks, Lynda. Always a pleasure.
Kevin Iredell: Thank you for listening to today's episode. Please subscribe to our podcast series at lowenstein.com/podcast or find us on iTunes, Spotify, Pandora, Google Podcasts and SoundCloud. Lowenstein Sandler podcast series is presented by Lowenstein Sandler and cannot be copied or rebroadcast without consent. The information provided is intended for a general audience and is not legal advice or a substitute for the advice of counsel. Prior results do not guarantee a similar outcome. The content reflects the personal views and opinions of the participants. No attorney/client relationship is being created by this podcast and all rights are reserved.