Lloyd’s has issued a market bulletin Y5381 requiring all standalone cyber attack policies to exclude cover for state- backed cyber attacks. This requirement will apply to policies (including renewals) commencing on or after 31 March 2023.
In its bulletin Lloyd’s reaffirmed its support of the writing of cyber cover, whilst recognising that cyber remains an evolving risk. Lloyd’s refers to the potential systemic risk if the potential exposure is not managed appropriately. The specific requirements of the state-backed cyber exclusion are that it must:
- excluded losses arising from war, whether declared or not;
- exclude losses from state-backed attacks that significantly impair:
- the ability of a state to function; or
- the security capabilities of a state;
- be clear as to whether computer systems located outside a state affected by 2 above are excluded;
- be clear as to how the parties will agree how a state- backed attack will be attributed to one or more states; and
- clearly define all key terms.