Industrial asset owners now likely to face expanded cyber risk following Lloyd’s decision, amidst rising attacks

Following the decision by Lloyds of London that from 2023 all its insurer groups will have to exclude ‘catastrophic’ state-backed attacks from their cyber insurance policies, industrial asset owners and operators will likely be forced to step up their cybersecurity defenses. Organizations will also be on the lookout to identify insurance policies with the right coverage and balance premium costs with their security investments. They will also need to assess their own risk and put in place a mitigation roadmap to deal with greater impact and higher consequence cybersecurity incidents. 

Lloyd’s of London said last month that it is set to introduce cyber insurance exclusions to coverage for ‘catastrophic’ state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration. While the insurance firm stated that it ‘remains strongly supportive of the writing of cyberattack cover,’ it recognizes that ‘cyber-related business continues to be an evolving risk.’ 

The London-based firm pointed to “the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.” Moreover, with rising ransomware attacks and subsequent payouts, insurers are forced to find ways to limit their risk or go out of business.

The move to limit systemic risk in the insurance market has prompted warnings that it would lead to legal disputes over whether certain attacks had state support while further restricting cover vital to businesses.

Over the last two years, the cyber insurance sector has witnessed a high volume of claims, severe losses, climbing rates, reduced insurer appetite, and an increased focus on accumulation risks. In addition, heightened geopolitical tensions, digital interconnectivity, and the adversarial nature of cyber hackers have contributed to a shift in the perception of cyber risk by insured parties. The scenario has also led to a recognition among the insured that they could be at the receiving end of a cyberattack. 

Insurance firm Marsh said in a recent update that looking ahead at the rest of the year, there is reason for ‘cautious optimism’ that rate increases will stabilize and insurers will reward strong cyber hygiene controls. “But there is an increasing sense of cautious optimism that the steep rate increases of the past several quarters are moderating as attritional losses are better controlled and premium growth exceeds incurred losses. This is happening at a time when many organizations, affected by steep pricing increases and restricted capacity, have focused on strengthening their cyber hygiene controls,” it added. 

Earlier this year, the Office of the Director of National Intelligence (ODNI) assessed potential cyber-attacks from China, Iran, North Korea, and Russia against the U.S. critical infrastructure sector. The agency said that state and non-state hackers ‘threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy.’ Over the months, numerous instances of such state-sponsored attacks have occurred against the industrial, manufacturing, healthcare, government agencies, energy, and NGO sectors. 

Industrial Cyber contacted experts in the cyber insurance sector to evaluate the broader implications for industrial asset owners and operators of the decision by Lloyd’s of London covering state-backed cyber-attack exclusions in standalone cyber-attack policies. 

“In our current environment, where critical infrastructure sectors are extremely attractive targets for bad actors, industrial asset owners are now facing expanded risk,” Jennifer Mulvihill, business development head for cyber insurance and legal at BlueVoyant, told Industrial Cyber. “As the industrial market tries to keep up with innovation and efficiencies, and as they leverage the Internet of Things (IoT) to connect operational technology, now they are at risk for physical damages arising out of cyber attacks.”

“Software vulnerabilities that could result in a shut-down of an online business could lead to a myriad of devastating consequences in the industrial community. These attack vectors could provide pathways to manipulating controls resulting in physical destruction and potential loss of life,” according to Mulvihill. 

“Given that many operational asset owners support supply chains that affect our daily way of life such as filling up our tanks with gas or providing water, any nation-state with malicious intent to deprive us of our basic necessities may constitute a cyber attack,” Mulvihill explained. “The broader implications of the exclusion will force this community to focus on the cybersecurity of their systems to avoid the establishment of a nexus between the computer systems affected by the operation and the attribution to another state or those acting on its behalf.” 

Mulvihill said that the burden is on the carrier to prove attribution, but the first step in avoiding that analysis is to consider cyber threats to be as serious as traditional physical threats, and the overlap between the two is even more terrifying, which is one of the underlying motives of any nation-state terrorist attack – to incite fear.

“There is a paradox that in seeking to provide certainty within the Lloyds Market for the scale of portfolio and systemic cyber risk associated with war, Lloyds is introducing uncertainty about the value of cyber cover,” Jose Seara, founder and CEO at DeNexus, told Industrial Cyber. “The definitions of war and cyber operation are very broad in all new illustrative clauses. The expectation of government and affected enterprise ability to attribute to a state or a proxy acting on behalf of a state is likely to be beyond the capabilities of many organizations, and not all governments have this ability.” 

“If the President of the US says in a briefing he BELIEVES an attack on US critical infrastructure was probably Russia, is that attribution? If Cyber Command or the FBI says it was Russia, but the President says it was likely China, this will cause even more confusion on attribution,” Seara said. “It seems likely that claim litigation centered upon objectively reasonable attribution will become common. Maybe the time to set up a litigation financing fund,” he added.

The decision by Lloyd’s to exclude state-backed cyber-attacks means that, depending on the threat probabilities of an attack by a nation-state, some percentage of the risk associated with cyber-related incidents, including malware, ransomware, and more will have to be borne by the asset owner themselves, Matt Morris, global managing director for 1898 & Co. Security, told Industrial Cyber. “This move is effectively a risk avoidance approach by the insurance provider, whereby the risk is being transferred directly to the asset owner. The real impact of Lloyd’s action will depend on the risk tolerance of each asset owner.”

“Given the premiums that asset owners have paid relative to the coverage they have received, I suspect there will be some impact to this decision,” Morris pointed out.  “However, it may be somewhat muted given that some asset owners have already begun to apply their spend toward cyber risk assessment (to understand the overall impact and consequences) and risk mitigation techniques versus allocating funding toward insurance premiums that tend to come up far short anyway,” he added. 

“For those who were not already taking this approach, the decision by Lloyds may have the effect of accelerating that trend,” Morris said. “The risk is real and present, and like any other aspect of a business, asset owners must manage the risk so that the risk doesn’t manage them,” he added.

“The war exclusions that have been an issue for some time. These new war exclusions do not have any teeth now because they have not been litigated,” Gerry Kennedy, CEO at Observatory Strategic Management, told Industrial Cyber. “The policyholders should reserve their rights now before the exclusions are headed to litigation. This preempts the denial of coverage due to ambiguities that are already inherent in the forms, terms and conditions. Objectively reasonable comes to mind immediately,” he added.

From March 2023, Lloyd’s will require all its insurer groups to exclude liability for losses arising from state-backed cyberattacks. To deal with the updated guidelines, industrial asset owners and operators could adopt various initiatives over the next seven months.

“In the industrial sector, IoT is actually considered to be part of the XIoT — the extended Internet of Things because it involves operational technology, IoT, and industrial IoT,” Mulvihill said. “Operational Technology has been slow to modernize its systems, and oftentimes, networks are still segmented. The adoption of the cloud is also new, and as such, there are many proactive processes that need to be implemented to protect these systems. The Executive Order issued by President Biden on May 12, 2021, outlines some of these requirements and explains why they matter. NIST also provides cybersecurity guidelines specifically drafted for Operational Technology security,” she added.

Seara put forth three initiatives that industrial asset owners and operators could carry out over the next couple of months. “Engage through their brokers with the carriers to understand which illustrative exclusion wording will apply to them. Then in the light of their exposure versus cover risk, determine if the covers still available meet their needs,” he added.

“Recognize the difficulty in identifying and attributing attack and make provision to ensure there is an ability to secure and deploy incident response services if there is a delay in attribution. Most likely to be the case,” according to Seara. “Consider alternatives, like targeted utilization of Captives and other risk capital instruments to address the uncertainty that this evolution generates,” he added.

Morris said that asset owners have no choice but to assess their own risk and put a mitigation roadmap in place that allows them to mitigate the higher impact, higher consequence events that could degrade or negatively impact the reliability of operations, safety, etc. 

“It should be noted that there are emerging approaches, such as cyber-informed engineering (CIE) and consequence-driven, cyber-informed engineering (CCE) that provide a novel approach to dealing with these risks by tossing the endless vulnerability lists, patching, and threat probabilities out, and instead focusing their time and energy toward identifying the critical functions of the business that must not fail, and then protecting those,” according to Morris. “Given that CIE (and by extension) CCE is included and foundational in the United States (US) Department of Energy (DOE) Cybersecurity Strategy, these approaches will begin to spread across the community, which can only be a good thing,” he added.

“Start looking at insurance in a whole new light. Reallocate your available risk dollars, euros, etc. to managed risk solutions, not just policy language,” Kennedy said. “Talk to your carriers directly as they provide loss control services within your policy, and you paid for it. Audit your exposures to IT and OT losses and categorize them with efficiency as the elevation of your duty of care only enhances your ability to defend your business from litigation in a post-loss scenario,” he added.

Given the developing trend, it was not easy to assess whether industrial asset owners and operators would look for cyber insurance coverage or if this would lead to a decline in renewals.

“While the upcoming Lloyd’s exclusions may be disappointing or concerning, it doesn’t mean this sector should abandon the pursuit of cyber coverage,” Mulvihill said. “For example, the underwriting process and the completion of an underwriting application is an excellent way to self-assess and consider assets from a cyber perspective. At times, a carrier will provide a supplemental application for this type of coverage and will inquire about the segmentation of the network from the internet, the permission granted by the organization to employees to work remotely, and if so, whether multi-factor authentication (MFA) is implemented.”

Mulvihill added that some of the questions might also relate to the granting of third-party access to the OT environment — also questioning the MFA implementation. “Cyber insurance — despite this exclusion — will always provide significant benefits, and as the burden to determine attribution resides with the insurer (possibly in conjunction with other parties), it remains to be seen how often and how successfully this exclusion may be applied,” she added.

Seara said that it’s difficult to see how this could do anything except reduce demand. “I can see it potentially stifling demand for the cover because of the insured’s uncertainty of exclusion. Or asset owners might take a gamble and accept the exclusion while preparing themselves to challenge it in court. The problem, of course, is that, when that moment comes, they will also have to deal with an event.”

“Also, risk capital, and particularly ILS capital, is going to say any such condition only delays claims settlement and could delay incident response, which we already have a problem with,” Seara noted. “So it’s not just asset owners thinking twice about purchasing the cover, but risk assumers wondering why they should open up capacity to even longer tail risk.” 

“That said, the insurance industry, however, has proven very creative over the years, so we can expect some more progressive carriers to be receptive to new ideas and accept to experiment with data-driven risk transfer solutions,” Seara said. “Someone closes one door, and another one opens,” he added.

Morris said that given that the coverage achieved relative to the premiums paid continues to plummet, “I suspect a substantial number of asset owners will have to take a hard look at whether cyber insurance is worth it or not. My guess is that many of them will resolve that they are better served to invest funds into assessing their own risk, improving protection and detection, and investing more heavily into proactive preparedness,” he added.

“This is where the term ‘cyber coverage’ gets lost in what it actually does,” Kennedy said. “The word cyber is not a defined peril when it comes to insurance coverage for any line of insurance coverage. Insurance policies require defined perils, so if you know of a known peril and you have maybe even mitigated it, ask your insurance carrier if a loss happens due to say ‘Jackware’ would I be covered for concurrent causalities on my Property, General Liability, Umbrella, Disability, Life Insurance, etc.,” he added.

The point is that this IT and OT infiltration and exfiltration goes far beyond the concept of what everyone calls cyber, Kennedy added. “If it is listed, it is covered. If it isn’t listed, it’s potentially excluded,” he added. 

Given the situation, analyzing the recourse available to industrial asset owners and operators becomes important if the insurer decides it is ‘objectively reasonable’ to attribute a cyber-attack to a specific state and exclude it. Additionally, they must assess if ‘reasonable’ remains a legally binding argument.

Mulvihill said that while BlueVoyant can’t comment on coverage issues or opinions about legally binding arguments, “our recommendation would be to consult with a cyber coverage attorney if the exclusion is triggered and the organization would like to question that determination.” She added that it is prudent to establish a relationship with a cyber coverage attorney in the current insurance marketplace where insurers are increasing premiums and restricting coverage, no matter what exclusions are on the horizon.

Mulvihill said that insurers’ positions are in response to the extensive claims payouts on ransomware over the past few years. “Cyber coverage attorneys are specialized attorneys who are growing in demand to manage coverage expectations not only amidst a coverage determination but also during the insurance procurement process and can supplement the information a broker can provide about the insuring agreements.”

“Additionally, operational asset owners would be well-served to share information amongst their peers and seek advice from law enforcement professionals to learn about their experiences with nation-state attacks and attribution,” Mulvihill added.

Seara said that the burden of proof in all examples of the illustrative exclusion resides with the insurer. “Consequently, litigation in relation to the balance of probabilities that leads to an asset owner’s definition of objectively reasonable challenging that of the insurer seems the most likely recourse,” he added.

“Let’s face it, cyber insurers have never fully understood the risk relative to operational technology and critical infrastructure systems,” Morris said. “If they did, the entire cyber insurance industry would look very different for industrial asset owners.”

“The new exclusions and the evolution toward language that provides even more leeway for the insurer to refuse to pay are not surprising, and just further underscores that industrial asset owners may be best served to consider other options and approaches instead,” Morris added. 

Addressing the issue of the ‘objectively reasonable’ term, Kennedy said that the term would have to be litigated to gain a definition of that term. “I would document a track of reasonable care before any loss so you can countermand any glaring ambiguities. This is particularly poignant as the policyholder is inferior in the Contract of Adhesion (policy).”  

Kennedy noted that it takes getting out in front and proving IT & OT resilience before an event. “Documented elevated duty of care is better than any policy,” he concluded.