Introduction
This note has been compiled to make you aware of the forthcoming changes to the way the insurance market is responding to the Prudential Regulatory Authority’s (‘PRA’) request to clarify the cyber coverage provided by all insurance policies and to give you the opportunity to consider if you should make any changes to the way you are currently dealing with your cyber exposures.
Background
Cyber attacks are becoming more frequent and often make the headlines. These range from large scale data breaches, to denial of service attacks and demands for payment. The UK Government’s Cyber Security Breaches Survey 2020 reported in March 2020 that almost half of businesses had experienced a cyber security breach or attack in the previous 12 months.
This raises the question of how businesses are dealing with their cyber risks? Although there are bespoke cyber insurance products available, it is fair to say that the take-up rate for standalone cyber policies has historically been quite low. Instead of purchasing an insurance policy to manage cyber risks, businesses have instead chosen to manage their exposures by investing in their IT systems to defend against cyber attacks, as well as focusing on the education and training of staff against cyber threats. Alongside this, businesses have relied on the expectation that their existing policies provided some element of cover for their cyber exposures.
Recent regulatory changes
It is important to note that Professional indemnity (‘PI’) insurance was designed long before cyber threats existed and it was never intended that PI policies should pick up some of these emerging cyber threats. However, due to widely drafted insuring clauses which ostensibly provide cover in respect of any legal liability, and with no specific cyber exclusions, cover was often provided under such policies unintentionally. This is referred to in the insurance market as ‘silent cyber’.
However, the insurance market is having to reconsider its exposure to silent cyber cover, meaning PI policies are being redrafted to accurately describe what cyber cover (if any) they will provide.
The regulatory background to this is that in January 2019, the PRA advised all UK insurers that they must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. Also in 2019, Lloyd’s advised that all policies must be clear on whether coverage is provided for losses caused by a cyber event. The intention is to eliminate silent cyber exposure and with it the doubt and uncertainty that is often created and either specifically exclude it, where appropriate, or affirmatively cover it.
What this means
As a Griffiths & Armour client, you may recall that in 2014, our Scheme PI policy wordings were updated to provide some limited cover in two specific areas in connection with cyber liability:
• for any Claim arising from a Data Security Breach (defined in the policy wording as the destruction, alteration or misuse of, or any unauthorised access to, any personal data that is processed, managed, handled or stored in connection with the Business), and
• a limited amount of cover for First Party Hacker Attack Cover. This was subject to the extension’s terms and conditions and an inner limit (generally £100,000 depending on the policy wording). The intention of this part of the extension is to provide first party costs for dealing with the aftermath of a Hacker Attack.
For the reasons outlined above, Scheme insurers have confirmed they can no longer accommodate these cyber risks being written as part of a PI policy. As a result, for all policies renewing under our PI Scheme facilities from 1st November 2021 onwards, the existing extension will be removed and an exclusion for cyber risks shall be applied.
This exclusion will follow an agreed market standard form, published by the International Underwriting Association (‘IUA’) which consulted with most of the established PI market in arriving at a standard position. In explaining the cover, they outlined some helpful scenarios to enable a practical understanding of the intention of the exclusion. It is important to highlight that the precise circumstances of the claim that you face will ultimately determine if (and to the extent that) the policy responds. They are nevertheless a useful starting point to consider the effect of the changes:
Q. Would the PI policy cover insured losses from failure to give professional advice due to a ransomware event?
Generally, yes, the failure to provide advice would be an intervening step, so this is an indirect result of a Cyber Act and therefore not excluded.
Q. Would the PI policy respond to claims that there was a professional error in the advice provided due to corrupt professional software?
The IUA suggest that the provision of professional advice following the corruption of the data by the software is an ‘intervening step’ and therefore the basis of the claim is the provision of advice, rather than corrupt software. They would therefore expect the PI policy to cover the claim.
Q. I email confidential data to an incorrect third party, is there any PI cover?
Here, the IUA distinguish between claims brought under ‘Data Protection Law’, which would be excluded, and claims brought by third parties in tort, or for breach of contract, which would not be excluded by this endorsement.
Q. My systems cause the spread of malware to my clients, is there any PI cover?
The intent of the endorsement would be to exclude such claims.
What can you do?
The cyber market has continued to develop over recent years in response to the rapidly changing nature and magnitude of the cyber related perils which now exist. As a result, there are numerous products on the market that will provide appropriately tailored and value for money cover for those firms that wish to understand, address and, where appropriate, transfer their specific exposures via an insurance product.
Standalone cyber policies have the benefit of covering first party losses suffered by the company, business interruption costs, and claims from third parties. Given that cyber related liabilities do not traditionally sit within a PI insurance context, it’s our advice that you contact your general insurance broker to discuss your cyber exposures further and arrange for a quotation. We can arrange an introduction to our own general insurance division if that would be of interest.
If you have any queries on your PI policy itself, please contact your usual Griffiths & Armour Account Handler. Alternatively, please click below to submit your enquiry to Associate Director, Claire Meade.
