Recent cyber attacks including the MOVEit hack by Clop and the theft of information from Capita have demonstrated the scale of the potential threat posed to businesses. In the instance of losses resulting from a cyber crisis, a business should take all necessary steps to understand what protection their insurance policies can provide.

Aaron Le Marquer, Head of Policyholder Disputes, comments here on the recent high-profile cyber attacks and the lessons which companies and their directors should learn from them.

Consequences of the MOVEit hack

In June 2023, cyber organisation Clop announced on a blog that they had exploited a zero-day vulnerability on file transfer software MOVEit to steal confidential information from multiple UK-based organisations. The group, believed to be based in Russia, have demanded a ransom from affected companies and subsequently begun leaking stolen information.

The origins and backing of Clop remain shrouded in mystery. These circumstances may therefore provide the first real life test of Lloyd’s of London’s Market Bulletin Y5381 mandating that all cyber policies must exclude losses arising from war (whether declared or not), and restrict cover for state-backed cyber attacks.

The mandate, and the subsequent Lloyd’s Market Association (LMA) model clauses intended to be compliant with Bulletin 5381, have provoked considerable controversy since their publication and led to the publication of a two alternative sets of clauses. There are now a total of twelve versions of the LMA clauses available to insurers and policyholders, as well as a variety of bespoke clauses drafted by brokers and insurers.

Whether this state of affairs is conducive to a harmonious understanding of the correct application of the exclusions as between insurers, brokers and policyholders, or alternatively is a recipe for disaster, remains to be seen. There is no question that the exercise has been carried out with the best of intentions, ie ensuring contract certainty and avoiding misunderstandings over coverage, but the array of subtly different formulations now on offer seems unlikely to achieve that aim.

One of the key areas of uncertainty is around attribution. Exactly how a cyber attack is to be attributed as ‘state-backed’ remains highly contentious, and seems certain to result in disputes between cyber attack victims and their insurers. In the case of the MOVEit attack, Clop has been accused of “being at the forefront of the Kremlin’s large-scale disinformation campaign to manipulate international public opinion on Russia’s illegal war in Ukraine.”

Will insurers therefore regard claims made under cyber policies as a result of the MOVEit attack to be “losses arising from war” that are excluded from cover? And even if not, is there sufficient evidence for insurers to establish that the attack is ”state-backed”, in which case coverage might or might not be excluded, depending on the scale of the cyber attack and which version of the LMA Exclusions (or equivalent) is adopted?

Definitive proof of the ultimate origin of a cyber attack is rarely available, meaning that virtually any cyber attack may be alleged by insurers to be state backed, giving rise to coverage disputes that will be difficult to resolve. Although the Lloyd’s Market Bulletin requires insurers to set out a robust basis by which a cyber attack is to be attributed to one or more states, the latest version of the LMA clauses simply provide that the parties “will consider such objectively reasonable evidence that is available to them”, which does not necessarily move matters forward.

The growing list of victims includes Ofcom, TfL, Aer Lingus, British Airways, Boots and the BBC – though Clop has suggested it does not have data from all of these organisations, raising the threat of a separate cyber attack.

Regardless of the nature of the attackers, there is no doubt that targeted organisations will be closely studying the terms of their insurance to determine whether are covered for losses caused by the attack.

Cyber attack on Capita

Outsourcing giant Capita was hit by a cyber attack in March 2023, and confirmed that hackers had likely seized data related to its pensions clients from about 4% of its servers. In May the company contacted trustees to confirm that some pensions data “is likely to have been exfiltrated” but found “no evidence” of data being made available on the dark web.

Capita’s losses, estimated between £15-20m for professional fees and remediation expenses, underline the need for comprehensive cyber cover for all enterprises exposed to cyber breaches and attacks. In the modern digital era, that is of course most businesses.

In response to the Capita hack, the UK’s biggest private sector pension plan USS subsequently launched an identity protection service for members. This consisted of credit monitoring and identity monitoring activities, in which online activity is constantly checked to identify any potentially improper use of the individual’s personal profile or credit details, with potential issues flagged for checking to avoid or limit any fraudulent activity.

It is highly likely that other affected pension plans or other financial institutions whose customer data has been actually or potentially compromised by the Capita breach will have offered similar rectification measures to their customers. It is also likely that they will seek to recover such costs from Capita, leading to the question of whether Capita is covered for such third party liabilities under the terms of its cyber insurance.

Aside from cover for direct losses caused by attack, businesses may require cover for third party liabilities and business interruption losses flowing from the incident, which could dwarf the immediate costs of responding to and remediating the attack.

Conclusions

The impact of a cyber incident, and result not only in direct losses incurred in remediating and limiting damage, but also in third party claims from customers, suppliers and any other parties on whose behalf data was held. In today’s hyper-connected world, it is very difficult to ring-fence the harm caused by a cyber attack or breach, and the ripples can extend much further than the immediate target of the attack.

Cyber cover continues to be a rapidly evolving and highly differentiated insurance product, and policyholders should take care to ensure that they understand the nature and extent of cover in full, and more importantly any limitations that exclusions that may undermine the cover that is apparently in place.

You can find further information regarding our expertise, experience and team on our Policyholder Disputes page.

If you require assistance from our team, please contact us or alternatively request a call back from one of our lawyers by submitting this form.

Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.