Or at least standardized policy language on the subject.
Cyber insurance policies have always had language excluding “hostile and warlike actions”, whatever the hell that means. What it means is full employment for lawyers. And a long time before you get paid.
The Lloyd’s Market Association, the syndicate that drives Lloyd’s backed policies, has created four model clauses to replace that vague and outdated language.
Lloyd’s Market Association offered four model clauses that could be used in whole or part in insurance policies, offering a range of different coverages for state activity. In the broadest sense, they cover operations carried out during war, states retaliating for other cyber activity, or for cyber operations that impact national or homeland security as a whole. The least restrictive language carves out an exemption for that last clause when the operation is against a system covered by the insurance policy; more restrictive wordings do not.As a major insurer lifts the fog of cyberwar coverage, new definitions emerge | SC Media (scmagazine.com)
At least one piece of good news exists – the burden in the new Lloyd’s wording is placed on the insurer to prove the attack was a state action.
What is unclear at this point is whether this means that insurance companies will be more aggressive about enforcing that language. That will be the biggest question with the new wording.
This is on top of the rising insurance prices and declining coverage maximums that many companies are seeing when they renew their policies.
Reuters reported that Lloyd’s had “discouraged its 100-odd syndicate members from taking on cyber business next year”. LMA’s underwriting director says that it makes no sense for syndicate members with a good track record to refrain from writing new business. In fact, he said, he anticipated their business going up in 2022.
All that being said, the market has to change.
What we are seeing is the underwriting conditions getting more strict. Many clients are telling us that their underwriter is requiring very specific security measures like MFA on all systems or a certain kind of endpoint protection. ASSUME THAT IS GOING TO CONTINUE.
Moody’s just invested a quarter billion dollars in Bitsight, a company who creates security scores for businesses. My suspicion is that once this investment is complete, expect the result to be factored into your Moody’s risk rating. Bitsight and its competitors already work with multiple insurance carriers to score prospects. If your score is too low, you will not get insurance. Period.
This means that if companies do not want to be self insured, they are going to have to increase their investment in protecting themselves. It is going to be forced on you by the insurance carriers, state laws and industry regulators. Credit: SC Magazine and Threatpost