Lloyd’s of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months’ time.
In a memo sent to the company’s 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd’s remains “strongly supportive” of cyber attack coverage. However, as these threats continue to grow, they may “expose the market to systemic risks that syndicates could struggle to manage,” he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.
Because of this, all standalone cyber attack policies must include “a suitable clause excluding liability for losses arising from any state-backed cyberattack,” Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.
At a minimum – key word: minimum – these policies must exclude losses arising from a war, whether declared or not, if the policy doesn’t already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that “significantly impair the ability of a state to function or that significantly impair the security capabilities of a state.”
Policies must also “set out a robust basis” on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.
Attribution is ‘absolutely hard’
Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence “is absolutely hard,” NSA director of cybersecurity Rob Joyce said at this year’s RSA Conference. More recently he emphasized this point with a meme on Twitter:
HOW CAN NSA REALLY BE SURE OF THE ATTRIBUTION? I MEAN ANYONE CAN THROW RUSSIAN MALWARE! pic.twitter.com/Nv8ASBdbD8
— Rob Joyce (@NSA_CSDirector) August 19, 2022
Threat analysts typically attribute an attack to a nation-state from its level of sophistication, Jim Richberg, public sector field CISO Fortinet, told The Register.
But as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cybercrime gangs becomes increasingly difficult, he explained.
“There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa,” Richberg said. “The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.”
State sponsored? Or sympathetic?
Plus, as many security researchers have pointed out, there’s a fine line between cybercriminals who are directly associated with a government agency – such as Russia’s GRU – and those that simply enjoy government protections from prosecution or are sympathetic to particular governments.
“Attacks aren’t just nation-state or not,” Google Threat Analysis Group senior director Shane Huntley told The Register.
“We have hack-for-hire operators with both government and non-government customers,” he added. “We have volunteer hacktivists operating on behalf of government causes, and cybercriminals operating with the tacit approval of states. Without clarity on where thresholds are, no insurance policyholder has any type of certainty of what risk they are mitigating.”
Ultimately, Huntley said, these policy changes mean attribution will become even more important with insurance payouts at stake. But it also provides incentives for victim organizations to downplay any evidence linked to a nation-state.
Bring in the lawyers
Because insurance policies are legally binding contracts, the question of attribution will likely be a legal question as opposed to a real-world one, according to Peter Hawley, director of insurance solutions in Europe for SecurityScorecard.
“The muddying of waters is the language surrounding ‘state-backed,’ which can be interpreted in a multitude of ways and therefore leaves an insurer open to either running the risk of paying money on an unsanctioned event, or facing an unenticing trip to court when the claim is declined and the insured then sues them in order to try to gain coverage,” he told The Register.
“I see this being an important connection point between those in the threat intelligence community and the cyber insurance arena, as insurance customers will ultimately benefit from contract certainty and clarity around decisions that are made in the event of a claim,” Hawley said.
But as the cost of cyber attacks continues to climb, insurers are being forced to find ways to limit their risk or else go out of business, which is a scenario that Lloyd’s faced down in the late 1980s and early 1990s.
“Insurers, by and large, aren’t worried about non-catastrophic nation-state attacks, and the intent isn’t to decline claims where a nation-state is responsible,” according to Coalition CEO Joshua Motta, whose company provides cyber insurance and security software.
In a series of tweets, Motta argued this isn’t an attempt to limit coverage “for the now everyday occurrences of nation-state hacking.”
Instead, he noted, “what insurers worry about are catastrophic acts of (cyber) warfare that aren’t quantifiable by the insurance industry, lead to astronomical damages, and ultimately bankrupt the industry.” ®