By Jonathan Hopkins

|

Published 05 March 2024

Overview

In our 2024 predictions for the global insurance market, we predicted that there is further to go with cyber war and further exclusions could be expected. [1] So far this year, the LMA has published nine new cyber war clauses. These are:

  • A clauses drafted by the Trium Syndicate at Lloyd's;

  • Three AIG clauses;

  • Two Aon clauses; and

  • Three LMA war exclusions for cyber treaty reinsurance.

This article will focus on the LMA exclusions.

In the CEO letter from Peter Montanaro, Market Oversight Director at Lloyd's, the requirements of Market Bulletin Y5381.

New risk codes, RY and RZ, were introduced for the 2024 year of account to capture the underwriting of CY and CZ risks written as inwards treaty reinsurance. CY and CZ risk codes will continue to apply to insurance contracts or single risk reinsurance contracts, such as facultative reinsurance of a single insured. [2]

On 1 March 2024, following consultation with the cyber reinsurance working group, the LMA published the following war clauses:

  1. LMA5629 (Exclusion A),

  2. LMA5630 (Exclusion B), and

  3. LMA5631 (Exclusion C).

These are not published with the LMA's other cyber war exclusions but are appended to a separate bulletin. [3]

Some key points to note include the following:

  • All three exclusions contain attribution language.
  • Exclusion A is the most robust and is materially the same as LMA5564A.
  • Exclusions B and C contain a Difference in Conditions provision which allows the reinsurer to follow any underlying war and cyber exclusion provided this is compliant with Lloyd's requirements for Type 3 clauses (see below table).
  • A new definition for 'Type 3 exclusion' is inserted into Exclusions B and C. This is used as part of the Difference in Conditions mechanism.
  • Exclusion C does not apply to losses arising under original policies covered under the reinsurance which incepted prior to 1 April 2024 on a Losses Occurring During basis. The LMA Bulletin published 1 March 2024 notes that this exclusion should only be used for the first renewal following Lloyd's requirements becoming effective.

By way of reminder, cyber war exclusions are classified by the LMA into seven different types as shown in the table below. Clauses that are categorised as Types 1 – 3 are compliant with the requirements of Market Bulletin Y5381. This classification emerged in June 2023 and was further tightened in Peter Montanaro's September letter (see above).

 

Type 1

Excludes all state backed cyber-attacks (war and non-war)

Type 2

Excludes state backed cyber-attacks as part of war and excludes all significant impairment losses for non-war

Type 3

As Type 2 but does not exclude significant impairment non-war losses which occur outside the impaired state

Type 4

As Type 3 but does not exclude state backed cyber-attacks as part of war outside the warring states

Type 5

Other clauses assessed as compliant

Type 6

Clauses which have been granted dispensation by Lloyd's

Type 7

Non-compliant clauses or no clause

Note: in accordance with Lloyd's requirements set out in 'Performance Management: Supplemental Requirements and Guidance' (available on Lloyds.com), any clauses which do not include full exclusions for war should be reported to Lloyd's.

 

We await further interesting developments in this area.

 

 

[1]  insurance.dacbeachcroft.com/predictions/data-privacy-and-cyber/

[2]  assets.lloyds.com/media/0b0013bb-86e8-4caf-b79b-99331d208d3e/Risk-Code-Guidance-072023.pdf

[3]  www.lmalloyds.com/LMA_Bulletins/LMA24-011-CM.aspx

Authors