Bank of America raised concerns with Lloyd’s of London about a move to exempt big “state-backed” cyber attacks from standard insurance policies, underscoring the concern among financial institutions about changes to a crucial safety net.
The US lender expressed unease over the new rule in one of a series of discussions of the matter in recent weeks between Lloyd’s and big clients, according to people familiar with the meetings, as the insurance market seeks to protect itself from systemic risk.
Anxiety is growing among large corporations about the threat from state-sponsored cyber groups, including over whether the cost of attacks will be covered by their insurers.
A senior UK official warned on Wednesday over the threat from “ideologically motivated, rather than financially motivated” hackers allied to Moscow.
Lloyd’s, a centuries-old marketplace where dozens of insurers negotiate with hundreds of brokers over the terms and price of cover, has played a leading role in cyber insurance and takes in about a fifth of global premiums.
But the corporation running the market has faced a backlash over the new requirement that standard cyber policies contain an exclusion for state-backed attacks that create a “significant impairment to state infrastructure”.
Lloyd’s and its supporters have said it is a move to bring clarity, given that insurance policies typically exclude war. But the decision has stoked fears among financial and healthcare groups, as well as infrastructure providers, that any big attack against them could be deemed exempt, meaning a claim would not be paid.
BofA is one of the groups said to have raised its concerns directly with Lloyd’s. Marsh, the world’s biggest broker, has arranged direct meetings for its clients with Lloyd’s to share concerns over the exclusion, according to people familiar with the matter.
BofA and Marsh declined to comment.
Paul Benda, senior vice-president for operational risk and cyber security at the American Bankers Association, said any changes to cyber protections were troubling for banks, which were already subject to “the most stringent regulatory requirements”.
“The US banking industry takes its commitment to cyber security very seriously,” Benda said. “[That] includes a layered approach to managing operational risks, and cyber-risk insurance is one of those layers. Any changes in those protections [are] understandably a cause for concern.”
In some previous cases, insurers have argued that the 2017 NotPetya attack, attributed by US intelligence to Russia, was akin to a “warlike act” and therefore should not be covered.
Lloyd’s said it was not demanding “a blanket exclusion but a segregation of risks in a fast maturing area of insurance”. There were a “number of teams of underwriters” that were developing add-on policies that could cover state-backed attacks, it added.
But critics say a separate market for insuring state-backed cyber attacks was some way off, and commercial insurance buyers privately chafe at the idea that they will have to pay for additional cover, when the prices of standard policies have jumped in recent years.
The clash reflects broader concerns about the private sector’s ability to transfer the risks of systemic cyber attacks. Zurich’s chief executive warned in December that cyber attacks were on their way to becoming “uninsurable” as disruption to society grows.
In its National Cybersecurity Strategy released last month, the US government said it would “assess the need for and possible structures of” a federal backstop for the market.
