Last November 25, 2021, the Lloyd’s Market Association published 4 model clauses (LMA 5564/5565/5566/5567) titled “war,cyber war and cyber operation exclusion clauses”. The objective is to exclude from insurance and reinsurance policies, all losses caused by war and cyber operations.
I - The 4 clauses provide different levels of covers.
- Exclusion n°1 (LMA 5564): excludes losses from all kinds of cyberattacks by State actors
- Exclusion n°2 (LMA 5565): covers losses (with specified coverage limits): that are not due to retaliatory operations between the 5 “specified States”; that do not have a major detrimental impact on national security and defense
- Exclusion n°3 (LMA 5566): provides the same conditions as exclusion n°2, except that it does not specify coverage limits
- Exclusion n°4 (LMA 5567): same coverage as exclusion n°3, but it adds the coverage of effects on “bystanding cyber assets”.
II - The four documents are titled “War, Cyber War and Cyber Operation Exclusion”. The definitions of “war” and “cyber operations” are provided. But no definition of “cyber war” is proposed. “Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state”.
III - Although the definition of “cyber operations”
focuses on state-to-state aggressive activities, it also includes operations
realized “on behalf” of a State. Such perimeter may include a wide spectrum of
actors (state actors such as intelligence agencies, militaries, and non-state
actors such as organized crime groups, terrorist organizations…) and
situations.
IV - The approach is constructed on the basis of only 2 categories of actors: the State and the insurer.
- State level:
o
“States: means sovereign
state »
o
Government
of the State (intelligence, security services) (who is in charge of the
attribution process)
o
Vital
functions of a State: “financial institutions and associated financial market
infrastructure, health services or utility services”
o
“Specified States means China, France,
Germany, Japan, Russia, UK or USA”
o
“Impacted state means any state where a
cyber operation has had a major detrimental impact on: 11.1. the functioning of
that state due to the direct or indirect effect of the cyber operation on the
availability, integrity or delivery of an essential service in that state; and/or
11.2. the security or defence of that state.
o Those who act “on behalf” of a State
- The insurer
V - The coverage of losses is based on the attribution of the cyber-operations. Who is in charge of the attribution?
a) the
government of the State where the attacked system is located,
b) if the
government of the State is unable to attribute the attack, then “it shall be
for the insurer to prove attribution by reference to such other evidence as is
available”.
No comments:
Post a Comment