Lloyd's of London's exclusion of war and severe state-backed attacks from its core cyber cover has created confusion, prompting buyers to reexamine the value of the product.

The exclusion, which took effect March 31, left clients and brokers frustrated and confused, but the issue lies more with the messaging than the concept. There is little argument about the need to tackle systemic risks that could jeopardize the market, according to Glyn Thoms, head of cyber and technology, media and telecoms for Great Britain at Willis Towers Watson PLC. The frustration comes from Lloyd's acting in isolation and leaving the market to work out the implications.

"There is always a buyer at the end who has got to see the value still in what we do. If they don't, they won't buy it, and that's a bigger threat to the sustainability of the market than systemic risk," Thoms said in an interview.

The rollout could have been dealt with "much more effectively" if clients had been at the table during the process, he said.

Coverage confusion

In requirements first set out in August 2022, Lloyd's mandates that policies covering cyberattacks exclude losses arising from war, whether declared or not, and state-backed cyberattacks that "significantly impair" either the ability of a state to function or a state's security capabilities. Lloyd's underwriters also have to be clear whether the cover excludes computer systems located outside the states that suffered the significant impairment.

After facing an initial backlash, Lloyd's chief of markets Patrick Tiernan said during the first-quarter market message that the exclusion was not designed to rid Lloyd's of exposure to severe state-backed cyberattacks. Rather, it was to ensure the risk was priced and written separately from core cyber wordings so it can be measured, Tiernan said.

"We are not indifferent to the customer impact and we are not running away from this risk," he said.

Lloyd's said in a statement to S&P Global Market Intelligence that its August 2022 guidance, which followed consultation with the market, "ensures we are managing risk responsibly on behalf of customers — including potentially systemic risks — while approaching this complex field with the expertise and diligence it requires." It did not take the decision lightly, "and is committed to it."

The situation is analogous to efforts by Lloyd's and the wider market to expressly affirm or exclude cyber cover in policy language, as many wordings had been silent on the matter, thus creating uncertainty about exposures and coverage.

"If Lloyd's has phrased it as Lloyd's affirmatively covering cyber war, we wouldn't be having this discussion," Tom Draper, head of UK insurance at cyber underwriting agency Coalition Inc., said in an interview. "But because it's been phrased as an exclusion, everyone's [saying], 'You're pulling cover back.'"

The counterargument would be that Lloyd's is now providing cover that may never have been there or that would have required a court case to affirm, Draper said.

Tiernan acknowledged the issue with the exclusion badge after Lloyd's second-quarter market message. "We do not class this as exclusions. We class it as separation," he told journalists.

The confusion has been amplified by misunderstanding about the exclusion language. While mandating that an exclusion is in place, Lloyd's has not dictated the wording underwriters use to effect it. Many are using model exclusions drafted by the Lloyd's Market Association (LMA), a trade body representing Lloyd's underwriters. The most common misconceptions, according to a June Willis Towers Watson report, are that the LMA wordings exclude all nation-state cyber activity, when only one of them does, and that they provide no cover for buyers whose activities are deemed essential for the functioning of a state.

There are also complaints that the wordings are unclear in some cases. The most widely used LMA model wording, for instance, allows cover for state-backed cyber attacks that are not part of a war, except where an attack disrupts at least one "essential service" in a state which leads to a "major detrimental impact" to the functioning of that state, according to the Willis Towers Watson report.

The wording does not include a definition for major detrimental impact.

"We still don't have an explanation for that," Brian Warszona, UK deputy cyber practice leader at Marsh LLC, said in an interview.

The Willis Towers Watson report noted that while some have said the term is too open to interpretation, LMA argues specific language elsewhere in the wording makes the meaning clear. LMA declined to comment.

Exceptions to the rule

Possible exemptions are also causing head-scratching. Underwriters wanting to diverge from its requirements would need to provide a "robust explanation" and get agreement from Lloyd's, it said in its August 2022 bulletin.

Writers that want to continue offering cover for the risks Lloyd's wants to exclude within core cyber policies will be required to hold more capital, Tiernan said in a second-quarter market message. Any exposure to those risks would be considered to equal the full coverage limit of the policy, unless the underwriter could prove otherwise, for example, through sublimits. Sublimits cap the payout for certain elements of a policy.

Lloyd's is granting exemptions in exceptional cases to help smooth the transition, Tiernan said. However, there have been cases where they expanded beyond what was intended, creating an "unfair bifurcation" in the market between those who were sticking to the spirit of the rules and those who were continuing to mix the covers intended to be excluded within the core product.

Tiernan said the market had been pushing Lloyd's for "an awful lot more clarity."

"I don't see it as a battle between Lloyd's and the market, it is just being more specific," he said.

The rollout of the exclusion has been difficult in part because new products covering the risks now excluded from the core cover have been slow to emerge, Tiernan said. He said there are lessons to be learned from the rollout, and Lloyd's would be "very thoughtful" about them.

Lloyd's said a number of teams of underwriters are developing products in the Lloyd's Lab, the market's innovation hub, to satisfy the demand for broader cover.

Insurers are not likely to agree on marketwide cyber war exclusions in the near future, the Willis Towers Watson report said. Many non-Lloyd's insurers continue to be happy with exclusions that would not be compliant with Lloyd's rules, according to the report. That said, a large portion of the cyber insurance market is reinsured; if reinsurers provide terms that are subject to a Lloyd's-compliant war exclusion, there is a bigger chance for more consensus, it added.

The cyber war exclusion work is a "test run" for tackling systemic cyberrisk, Draper said.

"There are other cyber systemic events that the market is worried about which we haven't addressed," he said.