back to article Lloyd's to exclude certain nation-state attacks from cyber insurance policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time. In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack …


  1. An_Old_Dog Silver badge

    Value of In-House Talent

    It'll be interesting to see how many companies these circumstances shift into hiring computer security staff who are not simply scapegoats, but whose input managements heeds, and who are properly supported with training and HW/SW budgets.

    1. Pascal Monett Silver badge

      Re: Value of In-House Talent


      I'm guessing not many.

    2. Anonymous Coward
      Anonymous Coward

      Re: Value of In-House Talent

      They need to up the money first. The difference between the salaries a cybersecurity professional can expect in the UK vs other developed countries is a joke. It's almost less than half.

      Also, HR departments need to sort out the job descriptions on their recruitment guff. Almost all the vacancies that I've seen that would "sort of" fit me go off on wild tangents. It's almost like they try and bundle in cybersecurity with another role to try and get a two for one deal at half the price.

      Yes, cybersecurity folks can end up with a lot of free time, yes that sucks if you're paying the salary, but burning out your cybersecurity folks by asking them to also do desktop support bitch work is not a good idea. They need to be fresh, all the time to be able to shoulder a massive incident should one occur. Stop looking at them as workers and more as an insurance policy. You're paying for them to be ready and to advise. You aren't paying them to spread the mayonnaise on a sandwich production line.

      I see it like this...a nightclub owner has noticed that his bouncers just stand around a lot at the doors, so to get his money's worth he takes them off the doors periodically to change toilet rolls in the gents and DJ for guests. Guess what though, in getting "better value" more people are sneaking in without paying tickets. There's now a massive drug problem and shit is kicking off.

    3. EnviableOne Silver badge

      Re: Value of In-House Talent

      TBF, I know a good few industries, where cyber insurance premium reductions are being used to finance security improvement.

      A lot of good insurance firms are working to that end, and providing proper mitigations gets you decent coverage at a decent price.

      There are some that even actively work to asses and improve your security throughout the contract, and are becoming closer to MSPs than Insurance firms.

      1. Anonymous Coward
        Anonymous Coward

        Re: Value of In-House Talent

        ...and yet hiring an actual qualified cybersecurity expert into your business does jack shit for your premiums.

  2. Anonymous Coward
    Anonymous Coward

    "But don't worry, we'll still accept your premiums... provided you pay on time"

    "You had a 'Third Party, Fire and Theft' policy... bad luck... a nation state organised the theft, so that just leaves 'Fire'... oh, they hacked your boiler and alarm system, causing it to burn down the building... as I said, really bad luck there... can I interest you in our new 'Comprehensive' policy?"

    1. Yet Another Anonymous coward Silver badge

      You simply buy our new Insurance Risks policy which covers you against your insurance not paying up.

      And if you have any concerns about that we have an Insurance Risks Insurance policy .....

    2. Anonymous Coward

      Have you ever bought insurance?

      Or read your own insurance policy? Almost all policies in almost all countries exclude "Acts of War" by default.

      IMHO, the less cyber insurance policies cover, the more companies will be willing to invest in security instead of treating hacks as a business expense.

      1. Yet Another Anonymous coward Silver badge

        Re: Have you ever bought insurance?

        Yes and act of war if your car is hit by a tank seems reasonable. But if the insurance company gets to decide every hack is an undeclared war, then every stroppy customs official or every trade embargo?

      2. Anonymous Coward
        Anonymous Coward

        Re: Have you ever bought insurance?

        I disagree. Any money saved goes to shareholders as dividends and to execs as bonuses.

      3. Anonymous Coward
        Anonymous Coward

        Re: Have you ever bought insurance?

        You bonehead...does that make a disk failure an act of god then?

  3. Anonymous Coward
    Anonymous Coward

    So by extension:

    If I'm retained as an InfoSec bod and my client is popped by a Nation state, I'm not on the hook for my failings and my PI cover isn't needed?

    And there's no need for the CISO / InfoSec team to fall on their swords either (Tangent: has anyone ever known either to do so ?)

    1. Yet Another Anonymous coward Silver badge

      You know how you blamed the hack on N Korean Mossad Cyber Ninjas from the Matrix when you forgot to change the default passwd on the firewall?

      Now to get insurance to pay out you have to prove it was so trivial to break in that any regular crim could have done it

      1. Anonymous Coward
        Anonymous Coward

        N Korean Mossad Cyber Ninjas from the Matrix...those fucking bastards...always filling my log files up.

  4. Binraider Silver badge

    Maybe this reflects the inevitable case where a cyber attack does take out some major infrastructure. Nobody can afford for that to happen. So where’s the commensurate budget to go and deal with those obsolete PLCs and their electromechanical predecessors?

    There are secondary issues like figuring out how to work on such systems without disrupting other work that needs to happen, but that can all be done.

  5. Hans Neeson-Bumpsadese Silver badge

    At a minimum – key word: minimum – these policies must exclude losses arising from a war,

    That sort of clause is fairly standard in insurance policies. Fun fact: that's why some wars that the UK has been involved with were not classified as wars. For example in Malaya (not a "war", it was an "emergency") and the Falklands (not a "war", it was a "conflict") there we many British subjects/dependents who suffered losses or damages, but because these weren't technically wars they could still claim on their insurance policies.

    1. WonkoTheSane

      /me points at the USA calling Vietnam "A Police Action"

      1. Anonymous Coward
        Anonymous Coward

        >USA calling Vietnam "A Police Action"

        Except that some white people were also killed, that doesn't sound too far off.

        Isn't napalm the obvious answer to school shootings?

      2. An_Old_Dog Silver badge

        Check Your History, Please

        It was the Korean War which was (mis-)labelled a "police action."

    2. JimboSmith Silver badge

      Vlad the inhaler obviously saw this coming declaring a special military operation not a war when he invaded and started targeting civilians in Ukraine.

      1. Yet Another Anonymous coward Silver badge

        re: declared or not

        So are we in an undeclared war with Russia? China? Iran? The Eu?

  6. amanfromMars 1 Silver badge

    A Stitch in Time Saves Nine/Proper Preparation and Planning Prevents Piss Poor Performance

    However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.

    In other, more fulsome words, ... their, and systemic markets exposure to being found out as, and widely recognised and popularly accepted as, and therefore easily able to be found guilty in the first degree and convicted of, being a state enabler complicit in ensuring a simple means to encourage and continue egregiously repressive and oppressively punitive inequitable status quo operations against command and controlling human resources/global assets/earthly treasures/heavenly pleasures/diabolical liberties/universal rights.

    And yes, that would be disastrous for them to be involved in, in any way, and thus is gravely to be regarded ...... with much as was publicly revealed and earnestly advised on about the power of ever present money over 60 years ago [on January 17, 1961] surprisingly easily made applicable to them also ...... President Dwight D. Eisenhower's Farewell Address (1961)

    Sound earlier advice which quite obviously fell on deaf ears and now results in all manner of totally new formerly unimaginable unexpected consequences.

    1. Headley_Grange Silver badge

      Re: A Stitch in Time Saves Nine/Proper Preparation and Planning Prevents Piss Poor Performance

      Do you write contracts for insurance companies in your spare time?

  7. amanfromMars 1 Silver badge

    The more things change, the more they stay the same ‽ ‽

    :-) In your dreams, maybe, but not nowadays in 0days

    That Lloyd's Market Bulletin Ref: Y5381 is a bold admission that some attack vectors are indefensible .... and therefore more valuable than ever can be priced for and bought for exclusive use/abuse/misuse.

    That in its turn makes those attack vector agents enabled to be rich beyond even the craziest of dreams ...... and that is another mother of a brand spanking new market for status quo systems to consider requires their regulation with novel invented rules which affords them a remote proxy control facility. Such is their default modus operandi/vivendi.

    Take care though stepping into that market for it does not accept the folly and counsel of useful fools who be useless tools.

  8. steelpillow Silver badge

    Acts of war

    On the face of it this ought to be a sensible move; insurers habitually exclude acts of war, and cyberwarfare is an obvious thing to lump in with that.

    But how do you define cyberwarfare? Lloyds have plumped for action by a foreign State agency. Again, that might seem fair enough, except, how do you establish who perpetrated the attack, and even if you do pin it down to some black-hat organisation, how do you decide whether they are criminal freelancers or under state control or some unholy mix of the two?

    1. Anonymous Coward
      Anonymous Coward

      Re: Acts of war

      That's what you pay very expensive lawyers for...

  9. Pascal Monett Silver badge

    "cyber attack coverage"

    This is an abomination in principle.

    It allows companies to not do the required effort to secure their systems, and instead get compensated for their lack of effort when disaster strikes.

    This should not be allowed. We're not talking about a building ruined by an earthquake. Hacking is not an unforseeable event. It is ongoing and constant.

    There should not be insurance on that. Do your job and secure your servers.

    1. Headley_Grange Silver badge

      Re: "cyber attack coverage"

      Home insurance is an abomination. Most houses are insecure since a brick through the window allows thieves into the house. House insurance just allows home-owners to not bother with properly securing their homes and instead just get compensated when they are robbed.

      Home insurance should not be allowed......, etc.

      1. Jimmy2Cows Silver badge

        Re: "cyber attack coverage"

        House insurance just allows home-owners to not bother with properly securing their homes and instead just get compensated when they are robbed.

        Actually, no. Most home insurers will not cover theft loss if your home was not adequately secured at the time. They have very specific wording for this in policy exclusions. So if you left a window open, a door unlocked, or your doors don't have adequate locks (e.g. multipoint), claims will be denied.

        It certainly doesn't encourage people to be stupidly lax about securing their home. A brick through the window isn't something you can realistically expect everyone to guard against, so naturally this kind of attack is not excluded.

        1. Anonymous Coward
          Anonymous Coward

          Re: "cyber attack coverage"

          That is a common myth, but absolutely not true.

          The vast majority, if not all, homeowners policies DO NOT exclude coverage if you don't 'secure' your house. They'll give you small discounts for things like burglar alarms, but the discount is generally not big enough to cover the alarm monitoring cost.

          I know my policy has absolutely no difference in coverage no matter whether I have high security deadbolt locks or just leave my doors open all day.

          Claims are denied when they are caused by something not covered. I live in an area where a flood is damn near impossible, so I don't bother with flood coverage. If my house is flooded, a claim would be denied (and because of the location of my house, hundreds of feet above the nearest body of water, my entire city would be washed away and pretty much every insurance company on the planet would be bankrupt.)

          Claims are NOT denied when they're caused by a named peril. Theft is a named peril in all homeowners policies. Theft is covered. Door locks are irrelevant.

          1. usbac

            Re: "cyber attack coverage"

            "I live in an area where a flood is damn near impossible, so I don't bother with flood coverage."

            Be careful with this. If you have a water pipe break just outside of your house, and it causes some damage to your house, your insurance will try to deny it. Water coming from outside the home, whether from a pipe or not, is covered under flood insurance, and not by regular homeowners insurance.

            We had a pipe break right where it came through the concrete wall of the basement. It flooded part of the basement. The insurance company tried to say that the water "came from outside" and was not covered, since like you, we don't have flood insurance. We won in the end, but it is something to be aware of.

          2. Ken Moorhouse Silver badge

            Re: I live in an area where a flood is damn near impossible

            No nearby hydroelectric schemes planned?

            The Levelling up which gov keeps on at us about could involve filling in the valleys.

        2. Anonymous Coward
          Anonymous Coward

          Re: "cyber attack coverage"

          "A brick through the window isn't something you can realistically expect everyone to guard against..."

          When an Italian friend visited me in the UK he was shocked to see ground-floor windows without bars, grills or security shutters and doors with windows in them instead of being steel lined. He asked why houses weren't robbed all the time.

      2. EricB123 Bronze badge

        Re: "cyber attack coverage"

        In many parts of Asia home insurance is almost unheard of.

        Most houses do have steel gates however.

    2. Mike 137 Silver badge

      Re: "cyber attack coverage"

      Actually, there has always been a range of policy types in principle, from, at one end, low cost policies with negligible obligation on the insured that offer minimal cover that's hard to claim, and at the other end robust quite expensive policies that pay out fairly but demand specific security obligations to be fulfilled. If the insurer in the latter case finds out that those obligations have not been fulfilled they are unlikely to pay out. As the industry has matured, the latter type has actually come to dominate the market, so there's much less opportunity to be slack and rely on insurance as a fallback than there was in the early days of the industry.

      Insurance is just one (but a necessary one) of the tools used to protect against the cyber threat (just as fire insurance is one of the tools to protect against that threat, in which case sloppy fire precautions will tend to result in non-settlement too)

    3. DS999 Silver badge

      Re: "cyber attack coverage"

      It isn't cyber attack insurance that should be banned, but the payment of ransom. If the US, UK and EU collectively agreed to make ransomware payments illegal within their jurisdiction, while it would create some short term pain for victims in the long run it would greatly decrease ransomware attacks assuming it was properly enforced.

      The only reason hackers switched from attacking sites and putting up their names or some message they wanted to send to encrypting data and asking for ransom is because they found a way to make their hobby a paying job thanks to the ease of receiving payment in cryptocurrency. If the income dried up, so would the attacks. I mean, would you keep showing up at work if they quit paying you?

      Cyber attack insurance would still be necessary to compensate companies for lost data etc. who get hit after it is banned, or the small amount of attacks that might remain after most black hat hackers moved on to something else. The only bad part about cyber attack insurance is when it pays ransom. That just makes the problem worse, because companies don't even bear the cost of the ransom.

    4. An_Old_Dog Silver badge

      Re: "cyber attack coverage"

      Cyber security is hard to do well. There a bunch of are easy things -- which should be mandatory things to do. And there are hard things to do. Effectively combatting human nature is by definition hard, if not impossible to do. Some, perhaps many, people simply lack the ability to recognize a dodgy URL, regardless of how many classes they're given and videos they're shown. Some, perhaps many, people will fall to scammers' tricks ("Hi, Dan, this is Matt in Accounting. There's something wrong with the system, and my password doesn't work on our SAP server. It's got some data I need to pull together a report the boss is screaming for, and I've called IT, but they're really busy and the voice system says the queue time is currently at 40 minutes. Can you do me a major big and loan me your password to the accounting interface module? I know you're really not supposed to, but it's just this once and it'd get me out of a huge jam. Oh, thank you ever so much ..."), no matter how many seminars they're sent to.

      It's generally not because people are "stupid" (yes, some people are stupid, but on the average, they are not). It's a genetic thing about how their minds work. And because of that, no matter how skilled and diligent and well-supported your cybersecurity team is, eventually, a scammer will get through.

      Software patches are a different kettle of worms. Some patches eliminate needed functionality, some patches are themselves buggy, and it's a crap-shoot whether a particular 0-day exploit can be successfully used against your company or not.

      You have to face knowing at some day in the cybersecurity wars, you are going to lose. That is what the insurance is for.

      Finger-pointing won't help, but, humans being humans, that too will continue.

      (Icon 'cause they -- Boards of Directors, and insurance companies -- want to escape paying.)

  10. Flywheel

    "those that happen during wars, beginning in seven months' time"

    So are they anticipating that the war in Ukraine will be over in 7 months time?

    1. Kane Silver badge
      Thumb Up

      Re: "those that happen during wars, beginning in seven months' time"

      "So are they anticipating that the war in Ukraine will be over in 7 months time?"

      Maybe they should share their intel with everyone else!

      1. Hans Neeson-Bumpsadese Silver badge

        Re: "those that happen during wars, beginning in seven months' time"

        Maybe they should share their intel with everyone else!

        It's other people getting access to the Intel (or the AMD, or the ARM, or whatever) that's the problem in cyberattacks

    2. WonkoTheSane

      Re: "those that happen during wars, beginning in seven months' time"

      March 31st 2023 - The last day of the current financial year.

      1. Yet Another Anonymous coward Silver badge

        Re: "those that happen during wars, beginning in seven months' time"

        So are we relying on the Russian army to have the same accounting rules ?

        1. GrumpyKiwi

          Re: "those that happen during wars, beginning in seven months' time"

          Russian Army Accounting Rules:

          50% for the Defence Minister

          25% split among the Generals

          10% split among lower ranked officers

          5% split for the rear echelon logistics staff

          10% for actual equipment purchases, maintenance, soldiers wages etc.

          Result: "Super" power.

  11. katrinab Silver badge

    The thing I don't get is, why do they think that the "really sophisticated" attacks can only be carried out by governments?

    Have they ever seen a government IT project? Plenty of examples elsewhere on this site. The only thing that is sophisticated about them is the ability of the same useless contractors to get massive contracts again and again despite their complete incompetence.

    1. Anonymous Coward
      Anonymous Coward

      Attacks sponsored and executed by crime syndicates = organised crime

      Attacks sponsored and executed by government = disorganised crime

      1. GruntyMcPugh Silver badge

        I listened to a podcast recently that discussed North Korea and it's state sanctioned hacks, and that they were largely in it for the money. They nearly stole a cool $1Bn from the national bank of Bangladesh. They are an oddity in this respect, but then they have a GDP equivalent to the state of Montana, so need to get cash for their nuke research somehow.

  12. Ozzard

    There's a standard insurance fix for catastrophic losses: reinsurance

    I want to see who's reinsuring the insurers against cat losses, and how they calculate their XOL (excess-of-loss) premiums.

    That said, a war exclusion is reasonably standard.

  13. Anonymous Coward
    Anonymous Coward

    and "terrorism" ?


  14. Bitsminer Silver badge

    Nation-state as the perp, or the victim?

    Most commentards have reflected on the inability to reliably attribute the origins of a cyber-attack. As mentioned, the bad boys and girls can be anything from sympathizers to fully-involved gangsters.

    The article also mentions losses due to cyber attacks against a nation state. Successful ones. That would be the catastrophe they don't want to cover. If Germany or Bank of England or US Treasury get completely disabled for weeks, well then, a lot of things would change, and none for the better.

    The consequences to companies, whether large or small, in such circumstances, are unimaginable. And then there are the people, both employees and everybody else. No, don't believe it, no insurance scheme is adequate to such a situation. Best not let it happen.

  15. Sparkus

    stop writing coverage

    that protects incompetent managers, directors, and CIOs from idiotic decision making.........


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like