Cyber Electronic Risk: Insurance Implications

Cyber risk has been with us for some time, with cybercrime events such as WannaCry and NotPetya being well publicised. Given its systemic nature, it has the potential to impact many, if not all insurance policies. The fast pace at which cyber risks have developed means that insurance policies have until now remained silent. The term ‘silent cyber’ has entered the insurance market in recent years, describing losses related to cyber risk from traditional Property and Liability policies that were never designed to cover such exposures. A much-publicised example of such unintentional cover being provided is the USD 1.4 billion claim made against the insurers for the global pharma firm, Merck, from the aforementioned NotPetya malware attack in 2017.

This raised concerns within the insurance industry with bodies such as the Prudential Regulation Authority (PRA), who in July 2017 issued a Supervisory Statement on Cyber insurance underwriting risk following a cross industry review carried out between October 2015 and June 2016. This divided cyber insurance underwriting risk into 2 categories i) affirmative – those which explicitly include coverage for cyber risk and ii) non-affirmative – those that do not explicitly include or exclude coverage for cyber risk.

For non-affirmative cyber risks, Lloyd’s imposed a requirement on their underwriters to introduce policy language to remove any ambiguity and eradicate the non-affirmative risk (Reinsurance News, Matt Sheehan, 2019). The initial rollout was for first party/physical damage classes of business at 1 January 2020, with the remainder of the market staggered over three additional phases. All insurance classes were meant to be finally captured on 1 July 2021, thereby ensuring that all Lloyd’s policies incepting post this date provided clarity with regards Cyber risk clearly affirming or excluding cyber cover. This did not happen in all circumstances, with bodies such as the Solicitors Regulation Authority only approving its Professional Indemnity insurance cybercrime clause in late October 2021.

The Lloyd’s Market Association published a suite of model Cyber clauses, such as LMA5400 to help standardise and clarify cover for Lloyd’s members. LMA5400 relates to cyber coverage under first party property damage policies, and excludes any direct or indirect losses to ‘Data’ and any losses directly resulting from a ‘Cyber Act’ or ‘Cyber Incident’; with a write back for resulting fire or explosion damage from a ‘Cyber Incident’ only (unless the ‘Cyber Incident’ is related to a ‘Cyber Act’ – being an unauthorised, malicious or criminal act, or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any ‘Computer System’). So in summary LMA5400 is all but a Cyber exclusion!

Composite insurers have followed suit, reviewing and adapting their Cyber/Electronic Risks exclusions to restrict cover. Heading into 2022 as reinsurance treaties renew; for those insurers that escaped tightening of policy language, Howden expects these insurers to be captured by uniform market exclusions to bring greater parity. That being said, the current marketplace does not operate a consistent approach, so care needs to be taken when comparing composite insurer wordings.

The differences in current wordings are varied, with coverage restricted possibly wider than what people would envisage. As a general rule, directly resultant damage arising from a Cyber/Electronic Risk incident is restricted to solely fire and explosion; although there are insurers that extend to provide ‘Defined Perils’. Caution though is needed, because the Cyber/Electronic Risk definitions, the exclusions and the write-backs need to be read carefully. For example, most insurers have a total exclusion for cybercrime, which would include hacking, meaning that resultant damage caused by Fire & Explosion or a ‘Defined Peril’ from such a malicious attack would be excluded.

Howden knows of policy forms that do not currently exclude resultant Fire and/or Explosion damage arising from hacking. For the reasons communicated earlier these broader policy forms are unlikely to remain.

To help address Cyber risk, bespoke insurance products have been developed to cater for some of these exposures. These transcend pure indemnification of a loss; for example, by including protection to cater for costs needed to respond to a coordinated cyber breach, such as investigating and remediating IT security. They also commonly extend to cover legal liability for data breaches and where legally permissible respond to ransomware attacks.

This is a very fluid situation and policyholders need to understand the breadth of protection provided under their Property and General Liability policies.