Skip to Content

Lloyd’s of London is Investigating “Unusual Activity” on its Network

Updated on 2022-10-07

Insurance and reinsurance market Lloyd’s of London says they have “detected unusual activity on [their] network and … are investigating the issue.” Lloyd’s has reset its IT systems and shut down external connectivity, but has yet provided no further details.


  • This is a good example of that tough business risk decision to proactively disconnect and impact business to minimize potential impact of a suspected breach. This a good scenario for a proactive tabletop exercise with management/board members, both to educate them and to make sure the security team has an effective approach for communicating near term risk in a way that management can make an informed decision.
  • Lloyd’s engaged Mandiant and NTT to help with the investigation which found there was no evidence of compromise and advised Lloyd’s to start bringing systems online whenever they wish. Services are expecting to be restored by October 12.


Overview: Lloyd’s of London Excludes Some State-Sponsored Cyberattacks From Coverage

In an August 16, 2022 Market Bulletin, Lloyd’s of London “set out [its] requirements for state backed cyber-attack exclusions in standalone cyber-attack policies.” Lloyd’s syndicates will be required to exclude the attacks from insurance policies starting at the end of March 2023.


  • There are 4 complex exclusions that lawyers will have to review, but to me they basically have a very loose definition of “state-backed” unless some government agency declares an attack to be “state-backed.” It is increasingly hard to find success stories in cyber-insurance providing meaningful reduction in financial exposure to an attack, let alone complete coverage.
  • There is about a seven-month lead time for those insured by Lloyd’s to find an alternate solution. Expect other insurers to follow suit, as damages from a state actor, or undeclared war, represent large risk to the insurer. While on the surface this feels like a reasonable move from the insurers, the devil in in the details. Differentiating a genuine state sponsored attack from sympathizers or cybercrime groups is incredibly difficult. We all know attribution is hard, and now with insurance coverage hanging on the accuracy of that determination, particularly making sure that a look-alike organization is not involved, makes it even more so. This is another time to engage your legal team.
  • It will be interesting to see what the detail of this change will mean on companies’ claims. Hopefully, what this will lead to is more honest press releases and breach notifications where companies won’t automatically leap to point the blame at “nation state sophisticated attackers”, but rather admit they were victims of ordinary criminal behaviour.
  • This should not surprise anyone. Lloyd’s underwriters have never covered acts of war.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on