Latest News

Lloyd’s requiring state-backed cyberattack exclusions

Written on Aug 26, 2022

Lloyd’s of London will require standalone cyber policies to include state-backed cyberattack exclusions beginning in March 2023, it announced in a market bulletin.

Lloyd’s said that in addition to any war exclusion, new or renewed standalone cyber policies should:

  • Exclude losses arising from a war, whether declared or not where the policies do not have a separate war exclusion

  • Be clear as to whether the cover excludes computer systems that are located outside any state affected by the state-backed cyberattack

  • Subject to the former requirement, exclude losses arising from state cyberattacks that significantly impair a state’s ability to function or its security liabilities

  • Set out on a “robust” basis the parties’ agreement

  • Ensure all key terms are clearly defined

The bulletin says managing agents “will be expected to demonstrate that the clauses they will be adopting” meet these requirements.

It states that “We recognize that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state-backed cyber-attacks.”

“We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard with robust wordings,” it said, adding that wordings should be legally reviewed.

The bulletin states also that the Lloyd’s Market Association “has already undertaken an extensive exercise in producing suitable model clauses addressing state-backed cyberattacks.”

Lloyd’s said late last year that it had decided to stop covering losses related to state-sponsored cyberattacks as part of its newly issued cyber war and cyber operation exclusion clauses.