This note has been compiled to make you aware of the forthcoming changes to the way the insurance market is responding to the Prudential Regulatory Authority’s (‘PRA’) request to clarify the cyber coverage provided by all insurance policies and to give you the opportunity to consider if you should make any changes to the way you are currently dealing with your cyber exposures.
Cyber attacks are becoming more frequent and often make the headlines. These range from large scale data breaches, to denial of service attacks and demands for payment. The UK Government’s Cyber Security Breaches Survey 2020 reported in March 2020 that almost half of businesses had experienced a cyber security breach or attack in the previous 12 months.
This raises the question of how businesses are dealing with their cyber risks? Although there are bespoke cyber insurance products available, it is fair to say that the take-up rate for standalone cyber policies has historically been quite low. Instead of purchasing an insurance policy to manage cyber risks, businesses have instead chosen to manage their exposures by investing in their IT systems to defend against cyber attacks, as well as focusing on the education and training of staff against cyber threats. Alongside this, businesses have relied on the expectation that their existing policies provided some element of cover for their cyber exposures.
Recent regulatory changes
It is important to note that Professional indemnity (‘PI’) insurance was designed long before cyber threats existed and it was never intended that PI policies should pick up some of these emerging cyber threats. However, due to widely drafted insuring clauses which ostensibly provide cover in respect of any legal liability, and with no specific cyber exclusions, cover was often provided under such policies unintentionally. This is referred to in the insurance market as ‘silent cyber’.
However, the insurance market is having to reconsider its exposure to silent cyber cover, meaning PI policies are being redrafted to accurately describe what cyber cover (if any) they will provide.
The regulatory background to this is that in January 2019, the PRA advised all UK insurers that they must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. Also in 2019, Lloyd’s advised that all policies must be clear on whether coverage is provided for losses caused by a cyber event. The intention is to eliminate silent cyber exposure and with it the doubt and uncertainty that is often created and either specifically exclude it, where appropriate, or affirmatively cover it.
What this means
As a Griffiths & Armour client, you may recall that in 2014, our Scheme policy wordings were updated to provide some limited cover in two specific areas in connection with cyber liability:
• cover for any Claim arising from a Data Security Breach (defined in the policy wording as the destruction, alteration or misuse of, or any unauthorised access to, any personal data that is processed, managed, handled or stored in connection with the Business), and
• a limited amount of cover for First Party Hacker Attack Cover. This was subject to the extension’s terms and conditions and an inner limit (generally £100,000 depending on the policy wording). The intention of this part of the extension is to provide first party costs for dealing with the aftermath of a Hacker Attack.
For the reasons outlined above, Scheme insurers have confirmed they can no longer accommodate these cyber risks being written as part of a PI policy. As a result, for all policies renewing under our PI Scheme facilities from 1st November 2021 onwards, the existing extension will be removed and an exclusion for cyber risks shall be applied.
This exclusion will follow an agreed market standard form, published by the International Underwriting Association (‘IUA’) which consulted with most of the established PI market in arriving at a standard position. In explaining the cover, they outlined some helpful scenarios to enable a practical understanding of the intention of the exclusion. It is important to highlight that the precise circumstances of the claim that you face will ultimately determine if (and to the extent that) the policy responds. They are nevertheless a useful starting point to consider the effect of the changes:
Q. Would the PI policy cover insured losses from failure to give professional advice due to a ransomware event?
Generally, yes, the failure to provide advice would be an intervening step, so this is an indirect result of a Cyber Act and therefore not excluded.
Q. Would the PI policy respond to claims that there was a professional error in the advice provided due to corrupt professional software?
The IUA suggest that the provision of professional advice following the corruption of the data by the software is an ‘intervening step’ and therefore the basis of the claim is the provision of advice, rather than corrupt software. They would therefore expect the PI policy to cover the claim.
Q. I email confidential data to an incorrect third party, is there any PI cover?
Here, the IUA distinguish between claims brought under ‘Data Protection Law’, which would be excluded, and claims brought by third parties in tort, or for breach of contract, which would not be excluded by this endorsement.
Q. My systems cause the spread of malware to my clients, is there any PI cover?
The intent of the endorsement would be to exclude such claims.
What can you do?
As an existing Griffiths & Armour client who places a cyber liability policy via our general insurance division, it is likely that you will already have some protection against the issues noted above. That point aside, there is no doubt that the cyber market continues to develop in response to the rapidly changing nature and magnitude of the cyber related perils which now exist.
You may wish to take this opportunity to speak to your usual account handler in our general insurance division who will be happy to review your cyber exposures with you and recommend, where appropriate, any changes to your existing cyber arrangements that may be prudent having regarding to the changes to your PI policy and other insurance policies, where similar exclusions and restrictions are likely to feature.
If you have any queries on your PI policy itself, please contact your usual Griffiths & Armour PI Account Handler or click below to submit your enquiry to Professional Risks Associate Director, Claire Meade.