War exclusions: cyber attack attribution problematic for SMEs

Challenges around attributing cyber attacks to threat actors and whether they would come under a war exclusion remain key for insurers, particularly those with SME clients, delegates heard at Intelligent Insurer’s Cyber Risk and Insurance Innovation Europe 2023 conference, in London, on February 7, 2023.

Helga Munger, senior cyber claims manager at Munich Re, said that attributing a ransomware attack can be done if an incident is of sufficient severity. For example, when satellites were attacked and shut down the day before Russian tanks rolled into Ukraine. This attack was attributed to the Russian state hackers by the US, the EU and the UK concurrently.

She said that this level of attribution is authoritative and clear when it comes to looking at insurance war exclusion.

She added: “I hope there will not be too many [incidents] that are borderline. We really do need to exclude things that are uninsurable for the insurance industry.”

Her comments came as she spoke as part of a panel titled ‘The key challenges around the LMA war, cyber war and cyber operations exclusion clauses’. Her fellow panellists were Neal Pal, senior product development specialist at Marsh and Siobhan O'Brien, managing director, Cyber Centre of Excellence Leader, at Guy Carpenter, with session chair Tony Tarquini, founder and CEO of 5189 Limited.

Passionate questions from the audience highlighted that a solution for SMEs requires more debate as smaller businesses cannot wait for attributions that can take months to be announced.

One delegate, who said he represented clients around the world with SME businesses or mid-sized suppliers, said “they [our clients] cannot find the individual response by themselves [to attribute the attack], that's why they buy a cyber policy.”

If they wait for an authoritative attribution, perhaps from a government or international body, which could take from six months to a year, that doesn't help them because the business has gone, he said.

Responding to a question on the potential for paying out incident response money to SMEs before an attribution has been confirmed, Munger said: “That's up to the individual [insurer]...”. She added: “There’s no reason why incident response [which would make payments to the insured] can’t act independently within the parameters [of the cover].”

Marsh’s Pal commented: “Many of our clients would rather not have an attribution clause in there. So we would prefer the LMA 5567 [clause].”

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.