Cyber liabilities to be excluded for state-backed attacks from 31 March 2023 onwards

Hands on Matrix

Expect cyber insurance premiums to rise further, and accept more cyber exclusions from 31 March 2023 onwards.

Lloyd’s of London, an insurance market place, will require all of its insurance sellers to exclude any liability for losses resulting from cyberattacks which are committed by nation state-backed entities (eg APT29 (Cozy Bear), APT39, APT25 (ie Uncool, Vixen Panda, Ke3chang, Sushi Roll, Tor), etc.)

By Lloyd’s, such a state-backed cyber-attack exclusion clause must:

  1. exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
  2. (subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.
  3. be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
  4. set out a robust basis by which the parties agree on how any state backed cyber-attack will be attributed to one or more states.
  5. ensure all key terms are clearly defined.


The cyber-attack exclusion clause looks to be something insurance companies will readily trigger, given how shadowy cyber groups (including affiliated groups or independent groups who are sympathetic to their cause) have operated so far. It’s only a matter of time before other insurers and re-insurers include similar, if not identical, cyber-attack exclusion clauses into their cyber insurance contracts and renewals.

What can be done to lower the risk of getting caught in a cyber-attack crossfire?

  1. Invest in your people
    This means up-to-date meaningful training, and not just to check off the training line item in the year’s compliance checklist.

  2. Invest in your technology stack
    The world is getting ever more reliant on technology, the level of cyber hygiene must also keep pace. Technology will advance whether you like it or otherwise. Not keeping up with technology risks incurring tech debt which in the long term, which meant not so long ago (in Internet Years) which makes the organisation and business less competitive, even obsolete.

    Similarly, the age of logging into Windows/Azure and Gmail using usernames/passwords, SMS and TOTP codes are behind us. If you are still using such methods to log into your desktops/laptops, you are exposing the entire organisation to phishing attempts. There are better methods and significant advantages to create convenience to your staff, lower helpdesk costs and stop business email phishing compromises! (Say hello to never forget your passwords!)

  3. Invest in streamlining business processes
    Instead of using bandaids such as Robotic Process Automation (RPA), why not consider to streamline business processes using your existing ERP system or even better, move onto an ERP technology stack that permits agile implementation.

    Tacking bandaids onto business processes exposes YOUR organisation to 3rd party risks and these risks can be significant depending on the type and amount of data (especially Personally Identifiable Information) shipped to the 3rd parties.

With only two quarters to 31 March 2023, take action now! Dynafense can help you and your organisation relook at your business IT and cyber strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *