Another year, and another warning about the rise in ransomware and cyberattacks. What does that mean for insureds?
As an initial matter, it is worth noting the state of ransomware attacks overall. In early 2022, the Cybersecurity and Infrastructure Security Agency (CISA) reported that U.S., Australian, and U.K. “cybersecurity authorities” in 2021 “observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” CISA also reported a 62% increase in reported ransomware complaints for the first half of 2021, as compared to 2020, and a 20% “increase in reported losses” when compared to the same period in 2020.
Nonetheless, there is promising news for 2022. Some cybersecurity firms have reported a drop in ransomware volume for the first half of 2022. One firm reported “a downturn in ransomware volume over the first quarter of 2022,” with the positive trend reportedly continuing, “with ransomware attacks decreasing month-over-month throughout the [second] quarter” of 2022. Another firm reported a 23% drop in ransomware attacks in the first half of 2022, but did note an 11% increase in malware attacks.
Does cyber insurance cover ransomware?
The short answer to whether cyber insurance covers ransomware is: a good cyber insurance policy should cover ransomware attacks. A good cyber insurance policy should pay the costs of paying a ransom or cyber extortion threat. Specific to ransomware, a good cyber insurance policy should cover:
- The costs to investigate the attack
- The costs to remediate the attack
- The amount of the ransom (and costs to finance the payment)
- The income lost while the company is impacted by the ransomware and its after effects
- The extra expenses incurred to resolve the ransomware and get 100% back to business
Although Lloyd’s of London does not seem ready to eliminate all insurance coverage for ransomware, policyholders should expect London market insurance carriers to try to limit coverage for ransomware.
Lloyd’s issued a Market Bulletin on August 16, 2022, that requires insurance carriers to use a “state backed cyber-attack exclusion.” This exclusion is supposed to apply to “all standalone cyberattack policies falling within risk codes CY and CZ”; those risk codes are “Cyber Security Data and Privacy Breach” and “Cyber Security Property Damage.”
Lloyd’s has stated:
At a minimum, the state-backed cyberattack exclusion must:
1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
2. (subject to three) exclude losses arising from state backed cyberattacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
4. set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
5. ensure all key terms are clearly defined.
Lloyd’s also issued four “Cyber War and Cyber Operation Exclusion Clauses.”
It is not clear what the final insurance policy language will say for each carrier. As Lloyd’s notes, model insurance clauses “are purely illustrative and are distributed for the guidance of [Lloyd’s Market Association] members, who are free to agree to different conditions or amend as they see fit.”
Lloyd’s bulletin focuses on “liabilities arising from war and state backed cyber-attacks.” Savvy policyholders might note that insurance policies often have so-called “war exclusions” already. So why the change?
One answer likely is that insurance carriers have been using old language, or slightly modified versions of old policy language, as their so-called war exclusions in cyber insurance policies for years. Those exclusions probably were not written for cyber-based claims.
The new language requirements are an example of history repeating itself. When the insurance industry faces new risks, it usually relies on old policy exclusions to try to avoid covering, and insurers often use clever coverage counsel to argue that the old policy terms apply to the new risks. At the same time, the insurance industry writes new exclusions that are advertised as specific to the new risk. That has happened more than once when it comes to insurance for cybersecurity and data privacy risks. As to “war exclusions,” a New Jersey court recently determined that war exclusions did not apply to a claim for insurance coverage for a large malware attack that looked like ransomware.
Notably, the fact that there are new exclusions should be further evidence that old exclusions do not apply clearly to certain cyber events. Many states recognize that when an insurance carrier could have used more specific or more clear language, but didn’t, the carrier shouldn’t be able to interpret the language that it did use expansively. A new exclusion suggests that the carriers could have used language that was more specific for these circumstances.
This new language has yet to be tested, but a key question likely will be whether the insurance carrier can prove that the cyberattack or ransomware is attributable to a nation state or an act of war. As an exclusion, the insurance carrier should have the burden of proving that the exclusion applies. It should not be up to the policyholder to prove otherwise.
First, note that these clauses are expected to be in new insurance policies from Lloyd’s of London insurance carriers. There has not been an industry-wide pronouncement for U.S. insurance carriers.
Second, it is unclear how these clauses will apply, and as new language, they are untested. A best practice for policyholders is to analyze the language and facts closely, if a carrier tries to limit coverage by citing these new clauses.
Third, a best practice is to consider how the use of these clauses restricts coverage for scenarios that could be available under other insurance policies. It remains to be seen how this will affect the marketplace overall.
This article should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.