Lloyd’s of London insurance policies will stop covering losses from certain nation state cyber attacks and those that take place during wars starting in seven months.

In a memo sent to the company’s 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd’s remains “strongly supportive” of cyberattack reporting. However, as these threats continue to escalate, they “could expose the market to systemic risk that syndicates may struggle to manage.” he added [PDF]noting that nation-state-sponsored attacks are particularly expensive to cover.

For this reason, any standalone cyberattack policy must include “an appropriate clause excluding liability for losses from government-sponsored cyberattacks,” Chaudhry wrote. These changes will be effective from March 31, 2023 upon the commencement or renewal of each policy.

At least – keyword: minimum – these policies must exclude casualties from a warwhether declared or not, unless the policy already contains a separate war exclusion. They must also at least rule out damage from nation-state cyber attacks that “significantly impair a state’s ability to function or significantly impair a state’s security capability.”

According to Chaudhry, the policies must also “provide a robust foundation” on which to attribute state-sponsored cyberattacks — and therein lies the catch.

Allocation is “absolutely difficult”

Linking a cyberattack to a specific criminal group or state with 100 percent certainty “is absolutely difficult,” according to the NSA’s director of cybersecurity said Rob Joyce at this year’s RSA conference. More recently, he emphasized this point with a meme on Twitter:

Threat analysts typically attribute an attack to a nation-state based on its level of sophistication, said Jim Richberg, public sector CISO at Fortinet The registry.

But as advanced, persistent criminal groups become more sophisticated — and have more resources available to buy zero-day exploits and hire specialists for each phase of an attack — it becomes increasingly difficult to distinguish between nation-states and cybercrime gangs, he explained.

“There are times when nation states behave like criminals and use their tools and infrastructure, and sometimes vice versa,” Richberg said. “The clear line of sophistication and stealth that many have used as the common sense demarcation has been blurred. However, if you’re cashing out, chances are you’re looking for something more ironic and likely related to forensic evidence.”

State funded? Or likeable?

Also, as many security researchers have pointed out, there is one fine line between cybercriminals who are directly linked to a government agency – like Russia’s GRU – and those who simply enjoy or will enjoy government protection from prosecution friendly to certain governments.

“Attacks aren’t just nation-state or not,” said Shane Huntley, senior director of the Google Threat Analysis Group The registry.

“We have Hack-for-Hire Operators with both government and non-government customers,” he added. “We have volunteers hacktivists operating on behalf of the government and cybercriminals operating with the tacit consent of states. Without clarity as to where the thresholds are, no policyholder has any certainty as to what risk they are mitigating.”

Ultimately, Huntley said, these policy changes mean attribution becomes even more important when insurance payouts are at stake. But it also provides incentives for victim organizations to downplay any evidence linked to a nation-state.

Get the lawyers involved

Because insurance policies are legally binding contracts, the issue of attribution is likely to be more of a legal than a real issue, according to Peter Hawley, director of insurance solutions in Europe at SecurityScorecard.

“Pollution of the waters is the language surrounding ‘government sponsored’ which can be interpreted in a number of ways and therefore exposes an insurer to either risk paying money for an unauthorized event or embarking on an enticing avenue court if the claim is denied and the insured then sues them to try and get coverage,” he said The registry.

“I see this as an important connection point between those in the threat intelligence community and the cyber insurance industry, as insurance customers will ultimately benefit from contractual certainty and clarity in decisions made in the event of a claim,” Hawley said.

But as the Cyber ​​Attack Costs continue to rise, insurers are forced to find ways to limit their risk or otherwise go out of business, which is a scenario that Lloyd’s directed downwards in the late 1980s and early 1990s.

“Insurers by and large aren’t concerned about non-catastrophic nation-state attacks, and the intention is not to deny claims where a nation-state is responsible,” said Joshua Motta, CEO of Coalition, whose company provides cyber insurance and security software.

In a series of tweetsMotta argued that this was not an attempt to restrict reporting “for the now commonplace cases of nation-state hacking.”

Instead, he noted, “What insurers are concerned about is catastrophic (cyber) warfare, unquantifiable by the insurance industry, resulting in astronomical damage and ultimately bankrupting the industry.” ®

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/ Lloyd’s excludes nation-state attacks from cyber policies • The Register

Categorized in: