Cyber Insurance Exclusions and Risks

Cyber insurance exclusions can be a major headache for businesses, especially if they're not aware of what's covered and what's not. Many policies exclude coverage for data breaches caused by human error, such as accidental deletions or misconfigurations.

Businesses need to understand that cyber insurance exclusions can vary widely from policy to policy. Some policies may exclude coverage for cyber attacks that result from a business's failure to implement adequate security measures.

Cyber insurance exclusions can be triggered by a range of factors, including the use of pirated software or hardware. This can put businesses at risk of financial losses if they're not prepared.

Businesses should carefully review their cyber insurance policies to understand what's excluded and what's not. This can help them avoid costly surprises down the line.

Intriguing read: Common Exclusions to a Life Insurance Policy

Cyber insurance exclusions can be complex and often leave business owners wondering what's covered and what's not. The most widely used war exclusion, LMA5667A, excludes losses arising from war and cyber operations that are part of war.

For more insights, see: Cyber Insurance War Exclusion

This exclusion specifically targets losses from affected computer systems located in countries that meet the criteria for an "Impacted State". Cyber insurance policies often exclude coverage for incidents caused by intentional acts by an insured party, which serves to deter fraudulent claims and protect insurers' bottom lines.

Some common exclusions from cyber insurance include intentional acts, vulnerabilities, and regulatory non-compliance. If a business becomes aware of cybersecurity vulnerabilities but fails to take adequate precautions, they may no longer be covered for resulting incidents.

Here are some specific exclusions to be aware of:

Lloyd's has introduced changes to cyber insurance policies due to their concern that traditional war exclusions don't adequately address the risk of systemic loss caused by cyber threats.

The insurance market's ability to pay covered losses could be affected by a single cyber-attack with a widespread impact on multiple organisations.

Lloyd's believes that nation states pose the greatest threat in terms of developing malware capable of causing widespread destruction.

Their requirements have a particular focus on nation state cyber activity, whether in the course of war or independently of war.

Cyber insurance exclusions can be complex and confusing, but understanding them is crucial to getting the right coverage. The most widely used war exclusion, LMA5667A, excludes losses arising from war and cyber operations that are part of war.

Intentional acts are also excluded from cyber insurance, as insurers aim to deter fraudulent claims and protect their bottom lines. This exclusion serves to keep claims low-key.

Businesses that fail to take adequate precautions against known cybersecurity vulnerabilities may also find their insurance coverage reduced or eliminated. Insurers expect businesses to take reasonable steps against known risks in order to stay insured against them.

Regulatory non-compliance, such as violating data protection regulations like GDPR or HIPAA, can also lead to exclusions for fines and penalties resulting from non-compliance.

Here are some common exclusions from cyber insurance:

Property and general liability policies often don't cover cyber loss, and it's not just because of the exclusions. The concept of "silent cyber remediation" emerged after the NotPetya and WannaCry ransomware attacks, which led insurers to realize they had overlooked a massive blind spot in their policies.

Intentional acts by an insured party can lead to excluded coverage, as insurers aim to deter fraudulent claims and protect their bottom lines.

Businesses must take reasonable steps to address known cybersecurity vulnerabilities, or they may no longer be covered for resulting incidents.

Regulatory non-compliance, such as violating data protection regulations like GDPR or HIPAA, can result in omitted coverage for fines and penalties.

Here are some standard policy exclusions:

Some buyers of cyber insurance have questioned whether the greater clarity of LMA5567A (and its variants) comes at the expense of cover.

Others have argued that the absence of clarity in the war exclusions that have been traditionally seen in cyber insurance policies could be used to the policyholder’s advantage in the event of a coverage dispute.

Misconceptions can be costly, especially when it comes to cyber insurance.

Lloyd's is not stopping coverage for nation state cyber-attacks, despite what you might have heard.

Businesses need to be aware of the exclusions in their Cyber Insurance terms to avoid surprises.

Some cyber insurance policies don't cover certain events and losses, so it's essential to know what's not included.

A common misconception is that Lloyd's no longer covers nation state cyber-attacks, but this is simply not true.

To avoid denied cyber claims, it's crucial to understand what's not covered by your policy.

Discover more: Cyber Insurance Does Not Cover

The way war exclusions are handled in cyber insurance policies can be complex and nuanced. The Lloyd's model war clauses, for example, have emerged as the most widely used war exclusion that meets Lloyd's guidelines.

LMA5667A is a specific war exclusion that's widely used by Lloyd's members. It excludes losses arising out of war and cyber operations that are part of war, but the exclusion may not apply to cyber operations deployed by nation states outside of war.

The traditional approach to war exclusions can be different from the Lloyd's model war clauses. This traditional approach is often used in 'traditional' war exclusion policies.

In some cases, policyholders may prefer the traditional approach over the Lloyd's model war clauses. This can come down to personal preference and how they view the risks associated with war exclusions.

WTW has developed its own war exclusion, which is based on LMA5667A but introduces some amendments. One of these amendments carves back cover for certain losses arising from cyber operations deployed in conjunction with war.

Some buyers of cyber insurance have questioned whether the clarity of LMA5667A comes at the expense of cover. They argue that the absence of clarity in traditional war exclusions could be used to their advantage in the event of a coverage dispute.

Lloyd's has introduced these changes to address the systemic loss risk associated with cyber threats. They believe that nation states pose a significant threat in terms of developing malware capable of causing widespread destruction.

Some policies don't offer certain protections, and it's essential to know what they are. Business interruption sales losses are not always covered, so if your business is interrupted due to a cyber-attack, you might not be able to recover lost profits.

Related reading: Cyber Insurance Not Paying Out

Not all cyber insurance policies provide coverage for profits lost due to business interruption after a cyber-attack. This means that if your business is down for a period of time, you might not be able to claim the losses.

Business interruption losses within the waiting period are also not covered by all policies. For example, if your business interruption coverage has a 12-hour waiting period, you're only covered for losses after its expiry, counting from when the outage began.

Third-party errors are often not covered, so if a hacker targets your cloud provider, your policy might not cover the losses. This is why it's crucial to check your policy terms carefully.

Here are some common exclusions in cyber insurance policies:

Property is a critical aspect of insurance, but when it comes to cyber insurance, there are some key limitations to be aware of. Traditional cyber insurance policies do not intend to cover physical damage or bodily injury.

A cyber policy typically covers loss, theft, or damage to electronic data, but it's not designed to compensate for physical damage to property, plants, machinery, or equipment. This means that if your business suffers a cyberattack that damages physical assets, you may not be covered under a standard cyber insurance policy.

Here's a breakdown of what a cyber policy typically does and doesn't cover:

As you can see, cyber insurance policies are designed to protect against digital threats, not physical ones. So, it's essential to carefully review your policy and understand what's covered and what's not.