Courts May Decide If Lloyd's Must Cover Nation-State AttacksExpect Legal Wrangling and Attribution Questions, Says Cordery's Jonathan Armstrong
Insurance market giant Lloyd's of London has announced that beginning in March 2023, its cyber insurance policies will no longer cover state-sponsored cyberattacks.
But attack attribution often being more art than science, will Lloyd's be able to deny claims based on, for example, the technical footprint of the attacker? Expect the answer to be decided in court, predicts Jonathan Armstrong, a partner at London-based law firm Cordery.
"We won't know until we know how the courts are going to interpret these clauses, and that might be four or five years down the line," he says. "One thing we will see is that insurers aren't equal. We have seen from the cases that we've been involved with some good insurers who will stand shoulder to shoulder with clients in a crisis and some other insurers who don't."
Key challenges facing organizations, including their CISOs, will be finding policies with the right coverage and balancing premiums costs with their security investments, he says.
In this video interview with Information Security Media Group, Armstrong discusses:
- The challenge of attributing online attacks;
- The role of cyber insurance in mitigating business risk;
- Why cyber insurance is no substitute for proper policies, practices and procedures.
Armstrong is an experienced lawyer with a concentration on technology, risk and compliance. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Armstrong co-authored the LexisNexis technology law publication, "Managing Risk: Technology & Communications."