The insurance market has seen some large losses in recent years as a result of sophisticated cyber events such as the WannaCry, Petya and NotPetya ransomware attacks in 2017. These events have been classified as a cyber catastrophe, with industry losses now being reported at levels surpassing USD3bn (GBP2.3bn). Of these losses, 90% were driven by silent cyber impacts.
Other attacks include CNA Insurance who recently suffered a cyber security attack causing a network disruption that affected certain systems, including corporate email. The hotel chain Marriott International Inc. and airline British Airways were both the subject of a data breach because of a cyber attack. Marriott International Inc. were fined GBP18.4m by the Information Commissioner’s Office (ICO) for failing to keep millions of customers’ data secure. British Airways were fined GBP20m (USD26m) by the ICO as the data breach affected more than 400,000 customers.
Cyber crime is an ever-rising threat, especially with the vast numbers of employed working from home due to Government lockdowns as a result of COVID-19. With the working from home trend set to continue for many businesses going forward, cyber crime and the prevention of the same should be at the forefront of all business owners’ minds.
In 2020, businesses in the UK each
faced 686,961 attempts on average to breach their systems online. This equates to an attempted attack every 46 seconds,
with 2020 proving to be the busiest year on record for cyber attacks.
What is silent cyber?
In the past, the uptake of bespoke, standalone Cyber policies has been relatively low (when compared with the risks faced by businesses). This meant that as businesses continued to place increased reliance on their IT systems, in the event that they suffered a breach or cyber event, they looked to their more ‘traditional’ policies to seek coverage under those. Some levels of cover were offered under these policies, often inadvertently, thus the name ‘silent cyber’, or more specifically, non-affirmative cyber.
The issue here was that insurers were covering losses that they had not contemplated, as they were not fully assessing or adequately pricing for the risk and this led to a systemic exposure across multiple lines of business. For example, the ‘Not-Petya’ attack affected numerous organisations who sought to claim for losses under their traditional policies, as many did not have specific Cyber policies in place at the time. The issue for policyholders in relying on their traditional policies was that there was a level of uncertainty to the extent of any cyber coverage and this therefore led to numerous disputes with insurers.
Why is silent cyber a problem now?
Following a review, the Prudential Regulation Authority (PRA) determined that if silent cyber was not addressed, then there could be a serious risk posed to the solvency of insurers, which would ultimately have a significant negative impact on policyholders.
In a letter to all UK insurers issued in 2019, the PRA stated that insurers must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. Later that year, 4 July 2019, Lloyd’s of London issued a market bulletin mandating clarity on all policies as to whether coverage is provided for losses caused by a cyber event, in order to eliminate silent cyber exposure. This led to many insurers introducing either firm exclusions for cyber or affirmatively including specific coverages (and pricing accordingly for this).
What have we seen so far from Lloyd’s?
Property policies were the first to make the move towards addressing silent cyber exposure followed by crime and political risks policies. At the time with these classes, there were numerous challenges around how these exclusions would operate without removing the core coverages, particularly under a crime policy, as in the modern age IT systems are often involved at some point in a chain of events. This led to numerous versions of exclusions across the market and therefore leaving the potential for ambiguity in the clauses. As a result, the Lloyd’s Market Association (LMA) and International Underwriting Association (IUA) have worked to develop clauses and endorsements that more adequately address this issue, and as of the 1 January 2021, these clauses were introduced to Professional Indemnity (PI) and Directors’ and Officers’ liability (D&O) policies.
The issue of silent cyber and PI?
The issue of silent cyber was always particularly challenging for PI policies, insofar as many professional services firms hold and transfer money as part of their day-to-day business operations, and often hold significant volumes of client monies. Therefore, it was particularly fundamental that the endorsements added to PI policies fully addressed the requirements of these firms and ensured there was no gap in coverage between a PI policy and a separate Cyber policy. The additional challenge is the broad civil liability basis of many PI policies, thus providing coverage for claims arising from the insured’s ‘professional activities’. In addition, the Solicitors Regulation Authority (SRA), Institute of Chartered Accountants in England and Wales (ICAEW) and Royal Institute of Chartered Surveyors (RICS) all have Minimum Terms and Conditions required under PI policies, which prevents the limitation of coverage under the policies, particularly to the detriment of a third party.
Following on from an extensive survey of the PI and cyber markets, taking into account views on claims scenarios and how coverage within both Cyber and PI policies was intended to respond, the LMA and IUA developed two model endorsements – the IUA04-017 and the LMA 5531 (note that there is also an IUA04-014 endorsement in addition which addresses technology professional services but we will focus on the 017 for the purposes of this piece). In addition, the IUA have produced an explanatory note outlining the approach and the intentions behind the endorsement and provided explanatory claims scenarios to show the intended coverages.
The key takeaway of the IUA clause is that claims and losses directly caused by a cyber act, system failure or virus are excluded, but losses indirectly caused are potentially covered. The benefit to the insured is that ‘directly’ requires proximate cause but ‘indirectly’ is a lesser causative connection. The IUA have explained that the intention to exclude ‘direct’ losses is to ensure the exclusion of cyber losses where the insured has not intervened, and these should therefore be covered by a separate Cyber policy.
The LMA endorsement has a broader exclusion for cyber events with no ‘indirect’ language. There is limited coverage for a cyber incident if a claim arises from an actual or alleged breach of professional duty, but overall, the LMA clause offers broader coverage under the exclusion.
It is worth pointing out at this stage that there has never been any intent under PI policies to provide cover for first party losses i.e. the costs associated with a breach. These include costs such as ransom payments, breach response costs, business interruption and reputational harm. Therefore, it is fundamental for any business/organisation who relies on IT to operate (which is the majority of businesses) to be purchasing a separate Cyber policy to ensure that these losses are covered. Failure to have coverage in the event of an attack could be an existential threat to many businesses. It is particularly important to be reviewing this now, in light of the approach across the market to exclude silent cyber exposures, as businesses/organisations will have even less potential coverage under other traditional policies.
How are the IUA and LMA clauses affecting PI renewals this year?
Following this April renewal season, the use of IUA and LMA clauses has increased. We have seen insurers applying such clauses on PI policies to all professions across all layers where minimum terms permit.
This is definitely a shift in the market in comparison to prior years, and echoes the serious threat that cyber crime poses to all businesses. To add some more context, some insurers on excess layer markets were not prepared to apply this clause, although in those situations they sought to charge an annual premium of circa 10% to do so (essentially to illustrate they haven’t been ‘silent’ on cyber cover, and have allocated some premium towards it).
Follow markets (insurers that follow the lead market on an excess layer programme), and other markets sought to apply the IUA Clause as standard to address this issue, renewals that we saw this season where comfortable with that, as they already purchased a separate Cyber policy.
The SRA and a potential new PI insurance clause on cyber crime?
The SRA are currently considering changing their minimum terms and conditions for solicitors’ professional indemnity insurance in response to the increased risk and scale of cyber attacks. The SRA are proposing, which is subject to consultation and open until 25 May that client losses caused by a cyber attack, which could result in a claim against a firm, must be covered.
SRA chief executive Paul Philip said: "Cyber crime remains a major risk for all law firms – it’s the fastest-growing crime in the country. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target. Professional indemnity insurance offers key protection for the public. The proposed clause on cyber losses provides real clarity for consumers, law firms and insurers about clients and third-party protection in the event of a cyber attack."
The benefit of a Cyber policy?
The benefit of a Cyber policy goes beyond standard indemnification of a loss. Cyber policies include a coordinated breach response as standard under the policy – for many organisations, this is absolutely essential as co-ordinating, investigating and remediating a cyber attack often falls outside of the capabilities of most businesses. In addition, cyber insurers offer numerous risk management tools to assist businesses in understanding, identifying and mitigating cyber threats, which again, is a very important and useful tool for many businesses who do not always have these or the in house capability for this.
For firms that buy both Cyber and PI policies, it is important to work with a broker who understands the intricacies of overlaps of coverage across both policies and works to ensure there are never any gaps in coverage. It is also important, in the event of a claim, that there is clear language in the policies as to which policy is intended to respond as primary, which then removes any ambiguity and ensures that there is no dispute as to intent at an already stressful and often critical period for any business/ organisation.
What can policyholders do?
- Review cyber coverage and limits purchased.
- If you do not purchase a Cyber policy, then speak to your broker about the benefits of having one.
- Start your insurance renewal process early: presenting your risk to the market or markets takes time. Standard renewals are taking longer, in part due to COVID-19, but also because insurers are requiring more information as a result of the current hard market and more market feedback is required from insureds, which in turn needs to be reviewed thoroughly.