As of March 31, 2023, Lloyd’s of London (see source 1 and 2 in appendix) coverage options were updated to exclude any losses attributed to nation-state actors. Deemed the “war exclusion clause,” Lloyd’s move aims to minimize portfolio risk in the face of escalating attacks by nation-state-sponsored threat actors.
Meanwhile, insurers are seeking protection for themselves, seeking out catastrophe bonds (CATs) to cover any losses due to attacks against their policyholders. Traditionally reserved for acts of God, like earthquakes and tornados, expanding these bonds to cover cyber incidents is evidence of the growing challenge the industry faces as a result of escalating tensions around the globe. For instance, the British insurance giant Beazley just announced a new $45M bond in an attempt to capture market share. (See source 3 in appendix)
From a cyber perspective, both the proliferation of the RaaS ecosystem and the shifting operational model that now, almost always, includes multi-extortion tactics have complicated the calculus for insurance providers. Thanks to the specialization of Initial Access Brokers (IABs) within the RaaS community, the attacker’s barrier to entry is lower than it has ever been. Worse still, between the leak of nation-state offensive tool sets, prior group’s source code, as well as new advances in artificial intelligence – sophisticated attacks are now easier to execute for an adversary and significantly harder to attribute for victims.
The confluence of these points yields continual increases in premiums and coverage gaps alike, forcing providers to re-calibrate to the new reality. In a survey of IT leaders, 74% noted increased premiums, 43% cited increased deductibles, and 10% saw a reduction in coverage benefits. (See source 4 in appendix)