Transcription
INSURANCESilent Cyber in ProfessionalIndemnity InsuranceAuthors:Andrew JonesAhmed MianDate:December 2020Silent (or non-affirmative) cyber coverage and thesystemic risk it poses is a serious concern for theinsurance industry, leading to scrutiny from thePrudential Regulation Authority and prescriptiveintervention by Lloyd’s. Andrew Jones and AhmedMian consider the regulators’ concerns, what theindustry is doing about it and what the futureholds, in particular for Professional Indemnityinsurers and policyholders.The insurance industry has responded with a wide varietyof specialist cyber insurance products to provide cover forthese exposures (even penalties and fines where legallyinsurable in the relevant jurisdiction) – and at what arelikely to be viewed (in years to come) at very reasonablepremium rates. However, while the market penetration forbespoke cyber insurance is increasing, not all businessesyet take it out. When a cyber event occurs, therefore,these insureds cast the net wide to test whether any oftheir traditional insurance policies might provide cover.What is “Silent Cyber”?Cyber risks encapsulate any risk associated with financialloss, disruption or damage to the reputation of anorganisation arising from the failure, unauthorised orerroneous use of its IT systems. These risks can arisefrom both malicious acts (e.g. cyber-attacks) and nonmalicious acts (e.g. infrastructure downtime and accidentalloss of data).Cyber risks are growing in number and public awarenessof them is increasing. This comes from the ever-increasingreliance on IT systems by organisations of all types(businesses, defence, education, healthcare, charity etc)and the increased frequency of cyber-attacks on theseorganisations, against the backdrop of increasedregulation. The 2018 introduction of the GDPR, inparticular, has widened obligations and potential sanctionson organisations for many types of personal data misuse.The financial losses that can result are very significant,both first-party and third-party: the costs of specialist ITassistance, third party claims for compensation, businessinterruption losses, regulatory investigations and penalties,ransomware payments and legal costs, to name but a few.The reputational losses can be even more significant.International Construction and Insurance Law Specialists“Silent” or “non-affirmative” cyber cover is the provision,perhaps inadvertently, of cover for cyber risks in insurancepolicies – typically traditional property and liability policies– through not expressly including or excluding cover forsuch cyber risks.This contrasts with “affirmative” cyber cover where suchcoverage is expressly provided, whether in bespoke cyberrisks policies or express coverage and extensions in noncyber policies.Why is Silent Cyber a problem?Silent cyber is problematic for both policyholders andinsurers. For policyholders, it can result in uncertainty asto the existence of and extent of their cyber coverage,increasing the risk of disputes with their insurers. Lack ofcoverage in the event of a cyber event could be anexistential threat.For Insurers, they may have inadvertently given cybercover without having fully assessed or priced the risk forwhat can be large claims. Large scale cyber events canalso impact organisations worldwide and across multiplelines of business, and give rise to previously unrecognisedsystemic risk. The potential increase of cyber event-drivenwww.beale-law.com
INSURANCESilent Cyber in Professional Indemnity Insuranceclass actions in the UK, which could lead to massivelosses, is also a growing (and arguably unpriced for) risk(see our article on the rise of UK cyber class actionshere).What is the insurance industry doing?The UK market for cyber insurance is relatively youngcompared to the US market. The PRA, (the UK insuranceregulator from a prudential perspective) has warned that ifthe coverage for cyber risks is not managed well, it couldpose a significant risk to the viability of insurancecompanies and the reputation of the UK insuranceindustry as a centre for excellence and innovation. Theseconcerns have led to a chain of regulatory and marketdevelopments:November 2016: In light of their concerns, the PRAconducted a cross-industry review, resulting in its “DearCEO” letter to insurers in November 2016. The PRAreported that various areas of improvement were needed,for both affirmative and silent cyber cover. In relation tosilent cyber, the PRA found:January 2019: After a follow-up survey, the PRA issued afurther “Dear CEO” letter to insurers on 30 January 2019saying that, whilst some work had been done, more wasneeded, including in insurers’ assessment of their silentcyber exposure. As a result of the continued concerns, thePRA required insurers to develop action plans by the first halfof 2019 to reduce their unintended exposure to silent cyber.July 2019: In its Market Bulletin Y5258, Lloyd’s set out itsresponse, mandating that all policies of its members provideclarity regarding cyber coverage by either expresslyexcluding or expressly providing affirmative cyber cover. Inthis and in its subsequent Bulletin Y5277, Lloyd’s set out aphased action plan by lines of insurance to require thesenecessary changes by: January 2020: First party property policies. July 2020: Political risks and crime policies. January 2021: PI, D&O, EL/PL and aviation policies. July 2021: Medical malpractice and treaty policies. Silent cyber was a clear material risk, yet many insurerswere unable to demonstrate robust methods forquantifying and managing this risk.In order to comply with the PRA and Lloyd’s requirements,insurers have developed revised policy wordings,endorsements and exclusion clauses. The potential for significant cyber insurance losses wasincreasing with time, from both the awareness of silentcyber cover and the frequency of cyber-attacks. There was recognition that insurers would find itincreasingly challenging to argue that non-affirmativeliability policies did not intend to cover cyber risk giventhe publicity and awareness of the issue.The general observation (and complaint from somebrokers) has been that many insurers have elected simplyto add blanket cyber exclusions, as opposed to providingaffirmative cover and (in doing so) have effectivelyexcluded cover for previously covered perils simplybecause IT systems are involved at some point in thechain of events – even if not the proximate cause of loss.In defence, one can understand an insurer’s desire topush cyber-related risks to the specialist cyber policymarket where they can be better identified and priced. Thedifficulty is in identifying a suitable policy wording whichfairly delineates between risks that should really becovered and priced in the specialist cyber market whileretaining the cover expected in traditional business lines.July 2017: As a result of its findings and follow-upconsultation, the PRA issued a Supervisory Statement in July2017 setting outs its expectations for underwriting cyber risks.In respect of silent cyber, this required insurers to “robustlyassess and actively manage” their silent cyber exposure.Insurers were expected to introduce measures that reducedtheir unintended exposure to cyber risks, such as offeringexplicit cover and adjusting premiums to reflect the additionalrisk, introducing robust exclusions and/or attaching specificlimits of cover.International Construction and Insurance Law Specialistswww.beale-law.com
INSURANCESilent Cyber in Professional Indemnity InsuranceThe LMA (the Lloyd’s Market Association) and theIUA (the International Underwriting Association ofLondon) have developed a number of cyber-relatedendorsements for use by their members seeking todelineate this issue across multiple lines of business.How can silent cyber impact Professional IndemnityInsurance?Professionals are exposed to cyber risks not leastbecause they often hold and transfer large sums ofmoney and sensitive corporate and personal data. ThePRA’s review specifically identified that PI insurancepolicies were particularly likely to be exposed to variousdegrees of silent cyber risk.PI policies (not least where required by the relevantprofessional regulator e.g. the SRA, ICAEW etc) are oftenwritten on a broad “civil liability” basis for claims arising outof the professional’s activities. This wide “civil liability”cover is then traditionally limited at some level via expressexclusions, such as excluding liabilities associated withEL/PL and D&O risks which are intended to be covered byseparate policies.However, as the PRA noted, express exclusions for cyberrelated claims have not yet become standard in the PImarket, even as the risk of silent cyber has become morewidely known. This has not been helped by the fact thatmany professional regulators (SRA, ICAEW, RICS etc.)have mandatory minimum terms which prevent insurers’from unilaterally limiting the cover in their policies, notleast where one of the primary aims of such policies is toensure the protection of the consumer of theprofessional’s services.Some of the cyber-related scenarios where PI policiesmay provide cover, unless there are applicable exclusions,include: Statutory claims for compensation from clients or otherthird parties under the Data Protection Act 2018/GDPRfor personal data breaches following a cyber-attack onthe professional’s computer system or accidental loss ofdata;International Construction and Insurance Law Specialists “Friday afternoon frauds”, where criminals trick theprofessional’s staff into sending them client monies viafake emails; Phishing attacks leading to loss of first party or third partyfunds or corporate/personal data; A professional using 3rd party software to provideautomated advice to clients, but the software becomescorrupted following a cyber-attack or programming errorand the advice provided is wrong; Ransomware events where the insured is then unable toproperly service clients leading to professional negligenceclaims.What is happening in relation to silent cyber inProfessional Indemnity Insurance?All PI policies (and new coverholder arrangements) writtenthrough Lloyd’s incepting from 1 January 2021 need toeither expressly include or exclude cyber cover.The LMA and IUA have been working hard to developcyber endorsements for their members for PI policies. TheIUA’s Professional Indemnity Forum created a CyberWorking Group to review the management of cyber risksin the various PI classes of business and draft modelendorsements specifically for PI policies.Given the variety of potential claims against professionals,it is not always easy to draw the line on whether certainclaims, which could be said to be cyber-related in one wayor another, should be considered PI risks and fall for coverunder PI policies, or are not PI risks and should beexcluded and passed to the specialist cyber insurancemarket. For example, if a hacker steals a professional’sown money, one would not expect the PI policy to respondto this loss. But what if it were client money? What if thehacker does not steal the client’s money directly, butintervenes in the professional/client email chain, trickingthe professional into paying away the client’s money to thehacker? Should it make a difference if the professional isnegligent in its implementation of its cyber-securitymeasures?www.beale-law.com
INSURANCESilent Cyber in Professional Indemnity InsuranceThe IUA conducted a wide-ranging survey of the PI andcyber markets, including consulting with insurers, brokersand professionals, to obtain the market’s views onnumerous claims scenarios and whether certain claimsshould fall for coverage under PI policies or should beexcluded. Taking into account these views, the IUA andLMA have developed model endorsements which seek todelineate cover for certain cyber-related events.The IUA’s model endorsementThe IUA have recently published its model endorsementclause “IUA04-017” and an explanatory note1. The generalapproach adopted by the IUA is: Claims and losses directly caused by a malicious cyberattack (called a “Cyber Act”), system failure (of thesystem owned or controlled by the Insured or any otherparty acting on their behalf) or virus transmission areexcluded, but those losses indirectly caused arepotentially covered. There is a total exclusion for all claims for breach of DataProtection law (as defined). There is also a total exclusion for claims, losses etcdirectly or indirectly caused by the failure of service of (a)any ISP, cloud or telecoms supplier, unless that failure isby a supplier hosting the hardware or software owned bythe Insured, or (b) a utility service provider where suchfailure impacts the Insured’s computer system; Cover otherwise provided for reconstituting lost ordamaged documents will not apply to computer data.Leaving aside for one moment the total exclusion of “DataProtection law” and “data-related loss of document” claims,the IUA endorsement seeks to distinguish cover between:(i) claims caused by third party deliberate “bad actors” andinterruption to the hosting of the Insured’s hardware andsoftware (claims only excluded if directly caused by suchperils) and (ii) accidental interruption to the Insured’scomputer system (claims excluded if directly or indirectlycaused by such perils).The IUA endorsement language used requires (as iscommon with any insurance policy) an understanding ofthe legal concept of “proximate cause” of a loss. Insummary, something is the proximate cause if it is thedominant, real, operative or effective cause of loss. TheCourts have held that to be “directly” caused includes arequirement of proximate cause but “indirectly” causedimplies a weaker causative connection for a policyexclusion to apply. What that lesser causative requirementis has been debated in past cases2 and is ultimately anissue of judicial impression based on the facts of anyparticular case.The IUA’s Explanatory note explains that the intentionbehind excluding losses caused directly but not indirectlyby specified cyber events is to exclude “pure” cyber losseswhere there has not been any “intervening” act oromission on behalf of the Insured, which should fall to thespecialist cyber risks insurance market. The intention is forthe PI policy to cover claims where the proximate cause ofthe loss was the professional firm’s act or omission andwhere the cyber event was more peripherally involved.The total exclusion of claims for breaches of DataProtection law excludes claims that may well have beenpreviously ‘silently’ covered by many PI policies. Forexample, claims for statutory compensation for personaldata breaches under the GDPR, where the professionalhas breached the confidentiality of its clients’ personaldata as a result of a cyber-attack or accidental loss of data.Cover for these statutory claims are clearly excluded bythe IUA endorsement. Depending on the facts, however,such claims may effectively be brought alternatively asclaims for breach of contract or tortious claims fornegligence, breach of confidentiality or misuse of privateinformation – which may well still be covered by the mainPI policy insuring clause.21Available at:https://www.iua.co.uk/IUA Member/Clauses/eLibrary/Clauses.aspxInternational Construction and Insurance Law SpecialistsSee Crowden v QBE Insurance (Europe) Ltd [2017] EWHC 2597 (Comm)for a useful overview of the application of such language to policyexclusionswww.beale-law.com
INSURANCESilent Cyber in Professional Indemnity InsuranceThe LMA’s model endorsementThe LMA have also just published its model endorsementclause, “LMA 5531”. The LMA have taken a slightlydifferent approach to the IUA in their model endorsement: There is a total exclusion for all claims and losses directlyor indirectly caused by or contributed to by a maliciouscyber-attack (also called a “Cyber Act”). All claims and losses directly or indirectly caused by a“Cyber Incident” are:i.Excluded. Cyber Incident is defined as (a) any error oromission involving access, processing, or use of oroperation of the Insured or any other party’s computersystem, and (b) a systems failure of the Insured orany other party’s computer system; butJanuary 2021 for making it clear that their policies eitherexpressly include or exclude cyber cover.However, it seems unlikely that policies for all regulatedprofessionals such as solicitors, surveyors andaccountants will be ready by 1 January 2021, given theneed for the regulated bodies such as the SRA, RICS andICAEW to approve any changes to their minimum terms toallow any cyber related exclusions. History shows thatchanges to minimum terms wordings are difficult to agreeand, even if ultimately agreed, take time to implement, notleast due to the various stakeholders and the desire by theprofessional bodies for their members and the consumersof their services to benefit from the widest possible cover.It will remain to be seen how Lloyd’s (and potentially thePRA) will approach any delays in updating PI policies forregulated professions.The futureii. There is a limited “write-back”, providing cover forsuch Cyber Incidents if the claim against the Insuredarises out of an actual or alleged breach of“Professional Duty” involving access, processing, oruse of or operation of the Insured or any other party’scomputer system or data, unless such breach ofProfessional Duty by the Insured is caused by,contributed to by, resulting from, arising out of or inconnection with a Cyber Act (i.e. malicious cyberattack). Like the IUA’s endorsement, there is a total exclusion forall claims for breach of Data Protection law (as defined).Whilst the applicability of the IUA and LMA endorsementwill depend upon the specific facts of any case, theexclusion for cyber-related events in the LMA’sendorsement is therefore potentially wider than the IUAendorsement, given it totally excludes claims directly orindirectly caused by “Cyber Acts” i.e. malicious cyberattacks, whereas the IUA endorsement only excludesclaims directly arising from these types of events.What about regulated professionals?For non-regulated professionals, the model endorsementsthat have been prepared by the LMA and IUA shouldensure their members can meet Lloyd’s deadline of 1International Construction and Insurance Law SpecialistsThe insurance market has made a lot of headway indealing with the problem of silent cyber.Some brokers have complained of a rush to exclusions,some of which are too wide, including some whichseemingly exclude any loss where technology is involvedin the loss in any way. Many insurers will inevitably take acautious approach against the backdrop of regulatoryscrutiny, impending deadlines and gaps in knowledge.Wordings and the understanding of the market willcertainly continue to develop. Professionals shouldcarefully consider and seek advice on their cyber riskexposure from their brokers in light of these developmentsand wording changes to ensure they are sufficientlyprotected.It is undoubtedly a positive that there will be more clarityover cyber coverage and policyholders and brokers cannegotiate with insurers with greater certainty and look tospecialist cyber policies as necessary.Such focus also feeds into a separate difficult coverageproblem which exists in the world of specialist cyberpolicies. There is very little market consistency in thedrafting and language of specialist cyber policywordings, and a wide range of new cyber policywordings andwww.beale-law.com
INSURANCESilent Cyber in Professional Indemnity Insuranceexclusions continue to come to the market. The coverprovided by these different cyber policies across first andthird party losses is diverse, and some policies have beencriticised as providing weak and illusory coverage 3.On the other hand, cyber policies can provide cover thatcan prove life-saving to professionals and otherbusinesses should a cyber event occur4. The steps toeradicate silent cyber mean that obtaining proper cyberrisks cover is more important than ever.With such a variety of untested policy language, and giventhe ever-increasing cyber risks faced by all types oforganisations and the potentially existential lossesinvolved, navigating the cyber policy market is a potentialminefield and insureds require expert cyber brokers (andpotentially expert cyber lawyers) to understand and ensurethey obtain sufficient coverage for their cyber exposure.For further information please contact:Andrew JonesSenior AssociateAhmed MianTrainee Solicitor 44 (0) 20 7469 0420ag.jones@beale-law.com 44 (0) 20 7469 0423a.mian@beale-law.comSee, for example, our recent article on the SRA’s recent reviewof the costs and consequences to various firms of solicitorsfollowing cyber-attacks: here.4See Mactavish’s “Cyber Risk and Insurance” report, November2018.3International Construction and Insurance Law Specialistswww.beale-law.com
INSURANCE www.beale-law.com Date: December 2020 Authors: Andrew Jones Ahmed Mian Silent Cyber in Professional Indemnity Insurance Silent (or non-affirmative) cyber coverage and the systemic risk it poses is a serious concern for the insurance industry, leading to scrutiny from the Prudential Regulation Authority and prescriptive
