Silent Cyber – will there be changes to the Minimum Terms and Conditions (MTCs) for 1 October 2021?

Unfortunately the SRA has been unable to agree amendments to the MTCs to clarify the position on “silent cyber” for the 1 October 2021 renewal of solicitors’ PII policies.

“Silent cyber” is an issue that is currently receiving attention in the insurance market and this includes the solicitors’ PII market. We reported on this in our Market Report published in July 2021, but there have been further developments following a recent meeting between the SRA and various interested parties.

The current MTC wording does respond, subject (as always) to policy terms and conditions, where loss to a third party is related to a cyber event. Examples include loss of client funds as a result of a cyber-attack impacting the client account or a limitation date being missed if a centralised diary system is compromised as a result of a cyber breach. The position is different with regard to first party losses and the MTC wording does not respond to losses such as incident response costs, replacing data, software and hardware impacted in a cyber-attack, or costs associated with a ransomware attack, including the amount of any ransom. While this is the broadly accepted position, there is no specific reference in the MTCs to cover for cyber-related issues and the SRA has therefore been asked to address this “silent cyber” position.

The initial expectation of the PRA and Lloyd’s was that PII policy wordings should be amended by 1 January 2021. Notwithstanding the deadline, there was no change to the SRA’s Minimum Terms and Conditions (MTCs) to address this issue for the April 2021 renewal of compulsory (primary) cover, but an endorsement in the form of an exclusion was added to most excess layer policies.

The SRA accept that the MTCs require amendment and they consulted on this issue in March and April of this year. Their stated intention is that there should be no change in the existing scope of cover under the MTCs (i.e. excluding first party losses and providing cover for third-party losses or liability). However, rather than adopting a simple clause to confirm that position, the SRA has proposed an amendment to the MTCs that would permit an exclusion in relation to certain cyber exposures, but then “carve back” cover for third party losses.

Howden responded to the consultation proposing that an affirmative clause would be more straightforward and this was also the position taken in some other consultation responses and by a number of participants attending the recent meeting with the SRA. While the SRA have indicated they will consider matters further, we do not know what the final outcome will be. However, there will be an amendment in some form and firms should continue to monitor this issue.

On the issue of timing, it had been expected that the changes to the MTCs would be in place for the 1 October 2021 renewal and both the PRA and Lloyd’s had confirmed that their original deadline of 1 January 2021 could be extended to 1 October 2021 in the case of those policies where terms are controlled by a regulator such as the SRA. We were therefore somewhat surprised to be advised by the SRA at the recent meeting referred to above, that they do not expect to be in a position to finalise and submit their proposed changes to the Legal Services Board for approval until the end of this year.

Assuming this remains the position, there will be no change to the MTCs for October 2021. Some insurers providing solicitors’ primary PII cover might decide to introduce a “silent cyber” clause to their policy wording notwithstanding this, however if this is inconsistent with the MTCs then the latter will always prevail.

Policyholders do need to stay in touch with their brokers on this issue during the course of the policy year as we cannot be certain about what the form and scope of the amendment will eventually be and whether or not it will ultimately impact existing cover under the MTCs. Under the Participating Insurers Agreement, the SRA can require insurers to adopt and give effect to a variation of the MTCs on two months written notice to the insurer or insured firm.[1] This means that your primary PII policy might change mid-term or exclusions imposed by insurers at the inception of your renewal policy could become effective mid-term. It will be important to understand what the change is and whether you need to take any action as a result of this as cases will vary.

We will continue to report on this matter, and this is an issue that you need to discuss with your broker when renewing your PII so that you clearly understand what the position is with regard to both your primary and excess layer PII cover, both at inception of the policy and during the policy year when any changes are introduced. If you do not already have a separate cyber liability policy, we also recommend that this is also a good time to investigate and consider taking that cover.