b'CYBERSECURITY & DATA PRIVACY|CYBERSECURITY INSURANCEmarkets to health and utility services. Some ofNew Requirements for Insuredsthese clauses also specifically disclaim coverage for losses arising out of retaliatory cyberOne development that is likely to continue in the operations conducted by specific named statescoming years is the imposition of new and more including China, France, Germany, Japan, Russia,robust cybersecurity requirements for insureds.UK or [the] USA. These types of exclusions wouldSome insurers have begun requiring companies to likely limit the applicability of coverage to many ofcertify to a checklist of cybersecurity protective the most prominent attacks that have been linkedmeasures to qualify for coverage. Specific to nation-state actors, including the NotPetyarequirements vary among insurers, but providers are attack mentioned above. likely to require some increasingly common best Because application of these clauses is contingentpractices, including installation of endpoint on linking a given attack to a state actor, these newdetection software, implementation of multi-factor proposed exclusions contain language directlyauthentication for certain types and levels of access, addressing the often highly technical andengagement with employees on phishing schemes, challenging issue of cyber attack attribution. Eachand demonstration of a capability to restore data exclusion clause states that the primary but notfrom backups. Insurers also may ask their customers exclusive factor in determining attribution of ato encrypt sensitive data or even provide cyber operation is whether the impacted state hasinformation on the success of phishing awareness attribute[d] the cyber operation to another state orcampaigns, such as by sharing the percentage of those acting on its behalf. In the absence of suchemployees that fell for fake phishing emails. This official attribution, the insurer grants itself theshift towards expanded expectations from insurers ability to rely upon an inference which isreflects not only an effort by insurers to limit their objectively reasonable as to attribution and tolosses, but also by the federal government to consider other available evidence. identify additional levers to shore up cybersecurity protections at a time of increasing risk. For Although it is unclear how many insurers haveexample, Resilience Insurance announced its begun incorporating these exclusions intodecision to impose such requirements after a White actual policies, it is reasonable to expect theHouse summit with President Biden and other industry will continue to seek ways to meetprominent private sector leaders in August 2021.clients needs while mitigating unquantifiable risk. These types of exclusions could help toMany companies may already comply with these reduce uncertainty for insurers, but will likelybest practices voluntarily or may be required to leave policy holders with challenges ensuringmeet similar requirements under state data security proper risk mitigation and transference. laws or federal standards set by the National Institute of Standards and Technology. But the requirements coming from insurers mark a new development in the drive to impose cybersecurity practices on businesses.144|Global Insurance Industry Year in Review 2021'