As cyber insurers evolve their understanding of the cyber attack landscape, who’s responsible, and what’s at stake, a logical next step is taken by Lloyd’s to better isolate what is covered and what isn’t.

It’s inevitable; cyberinsurers can’t blindly just cover every kind of cyberattack and pay out every time one happens – there are too many to count, and often times it’s the insured’s own employees that enabled an attack potentially covered by a cyber insurance policy.

new market bulletin put out by Lloyd’s of London makes it clear that very specific types of attacks – those that are essentially akin to cyber warfare – are not going to be covered.

“We are therefore requiring that all standalone cyber-attack policies…must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack.”

Some of the requirements around this exclusion includes:

  • Losses arising from a war
  • Losses arising from state backed cyber-attacks the “that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”

It also mentions that coverage with such an exclusion must also:

  • Specify whether computer systems outside an affected state (presumably within the context of the requirements above) are excluded or not
  • Provide an agreement between Lloyd’s and the insured as to “how any state backed cyber attack will be attributed to one or more states”

This puts more of the burden of having a strong protective cyberstance all the more important – one that includes Security Awareness Training as part of a layered defense to prevent cyber attacks from ever gaining entrance to a victim network and wreaking havoc – state actor or not.