A market bulletin was issued by Lloyd’s of London (“Lloyd’s”) on August 16, which outlined its minimum requirements with respect to nation state cyber-attack exclusions. At the same time, Lloyd’s confirmed that those requirements are met by any one of the four model exclusions issued by the London Market Association (“LMA”) in 2021 (LMA21-043-PD) (or any other suitable clause which meets the minimum requirements). While all four of those exclusions commonly exclude losses arising from physical war, only one of those exclusions, the LMA5564, excludes nation state cyber attacks outright. The remaining three exclusions (LMA5565-67) all provide some degree of cover for nation state cyber attacks.
Understandably, the multiple-choice approach adopted by the LMA does not necessarily lend itself to easy articulation of the nuances between each of the exclusions. Crucially, however, the exclusions are different from one another. It is important to clarify to cyber insurance buyers that the LMA war exclusions do not exclude coverage for all nation state cyber attacks.
To date, it would appear that the LMA5567 is emerging as the most widely used of the four exclusions by Lloyd’s insurers as they move towards meeting the requirement set out in the recent market bulletin. In summary, this exclusion does exclude losses arising from physical war but does not exclude state-sponsored cyber attacks unless (1) they are carried out in the course of physical war or (2) they can be categorised against the applicable threshold points in the exclusion as having a major detrimental impact on the essential services or defence of a nation state – and only then, this limb (2) of the exclusion only applies if the insured’s digital assets affected by the attack are physically located in such impacted nation state.
Simplicity and clarity are both laudable qualities, particularly in the context of advising on complex insurance contracts. However, these qualities should not compromise insight and accuracy. Current trends in the cyber marketplace suggest that we are not going to see all cyber insurers supporting one war exclusion any time soon. Therefore, the ability to provide clients with clear, insightful and accurate advice on the nuances between the range of exclusions that have emerged (and, in all likelihood, will continue to emerge) that address war and nation state cyber attacks is crucial.