Silent Cyber and PI Coverage – the Final Frontier

From 1 January 2021, Lloyd’s syndicates are required to clarify their position on ‘silent cyber’ in Professional Indemnity (PI) and Directors’ and Officers’ (D&O) policies. Experience from roll-out on previous policy classes indicates there may be limited consistency between insurers, and some overly broad exclusions put forward. Fundamentally, however, the process is likely to result in reduced cover under PI policies for cyber-related exposures. As a result it will be more important than ever to consider whether a separate Cyber insurance policy is required, and to ensure that appropriate cover is maintained.

What is ‘Silent Cyber’?

The development of technology, and of the world’s reliance on data, has led to an expanding scope of cyber exposures faced by policyholders and by insurers. Some of these are obvious, but many others are not – and certainly were not when many traditional insurance policy wordings were originally developed.

‘Silent cyber’ is the term used to describe potential cyber exposures within these traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in coverage which may be ambiguous, with an increased risk of disputes between policyholders and insurers and cover not matching policyholder expectations. From a regulatory standpoint, underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided.

Lloyd’s of London, insurers and regulators have become concerned that silent cyber may represent an unexpected risk to insurers’ portfolios, with large unintended aggregate cyber exposures. As a result first the Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) have required insurers to put into action plans to reduce those unintended or unclear exposures.  Lloyd’s of London has mandated that all policies underwritten by Lloyd’s syndicates should provide clarity regarding cyber coverage by either excluding it, or providing affirmative coverage. Company markets are also following suit, both for consistency (as many also operate a Lloyd’s syndicate) and driven by comments from regulators.

The changes are being introduced in a number of phases. The first applied to first party property damage policies, from 1 January 2020. The second phase included Bankers Blanket Bond and crime policies, and commenced on 1 July 2020. The third phase, most importantly for present purposes, will include PI and other liability policies and will commence on 1 January 2021.

How has the phased roll-out been progressing?

Excluding or affirming cyber cover sounds simple in theory. However in practice it has been far from plain sailing. The July 2020 phase of the mandate, involving crime policies, was something of a difficult second album for a number of reasons.

First, given the mandate and the short timeline provided by Lloyd’s, the initial response of insurers was to exclude rather than to affirm cover. From their perspective this was sensible, as they were wary of confirming cover where they had not yet fully understood their exposures. However there was little centralised alignment or control. Lloyd’s did not itself provide a definitive clause, or approve any particular market clause. The Lloyd’s Market Association (LMA), which insurers often follow, only released their proposed clause on 22 June 2020.  Since this was under two weeks before the deadline, numerous individual insurer forms were already in use.

Second, the market exclusions in use were sometimes inconsistent or overly broad. The drafting was not helped by the definition of ‘cyber risk’ put forward by Lloyd’s and the PRA, which is:

"Any risk where the losses are cyber-related, arising from either malicious acts (e.g. cyber-attack, infection of an IT system with malicious code) or non-malicious acts (e.g. loss of data, accidental acts or omissions) involving either tangible or intangible assets."[1]

The examples of ‘malicious acts’ are straightforward, but the concept is a problem in the context of crime policies. Core crime cover is for direct financial loss arising from malicious or dishonest acts. However the majority of crime incidents now involve use of a computer system, even if at heart they are still traditional crimes such as employee infidelity. As a result, any broad silent cyber exclusion focused on “cyber-related malicious acts” will also likely remove a number of core ‘traditional’ crime coverages. This was a particular problem because equivalent cover for direct financial loss is not generally available under standard cyber policies.

From the policyholder/broker perspective, the roll-out therefore resulted in time-consuming negotiation with each market on a placement, to try to align them behind one (appropriately amended) clause – whether the LMA form, or an individual insurer equivalent. This needed care to ensure (i) that key cover was not removed; (ii) that exclusions defined cyber risk appropriately; and (iii) that the focus was on areas where there was true overlap with cyber policies, such as cyber extortion / ransomware.

What are the prospects for PI and D&O cover?

The good news is that the market has learnt from earlier phases. The International Underwriting Association (IUA) has acted early and put forward a proposed model clause. This is currently subject of discussion with participating insurers, with input having been sought from major brokers, as well as from regulators of affected industries (solicitors, accountants and similar). It is to be hoped this work will ensure both that the resulting model clause will be appropriately drafted to avoid lack of clarity or gaps in cover, and also that it will have broad market support.

Separately, the position on ‘silent cyber’ coverage under PI policies is in some ways more straightforward than under crime policies. That is because cyber policies generally provide coverage for liability claims arising from data breaches and other cyber incidents, in a way that they don’t for direct financial losses under crime policies. So long as PI policy exclusions are drafted to match the triggers for cyber policy coverage, there should be less scope for unintentional gaps in cover.

That said, there are still issues to be worked through. For example, the IUA clause currently seeks to exclude cover for liability arising from system failures - but that is not cover generally available in the cyber market either, and so a solution will need to be found. The position of the market on ‘silent cyber’ in D&O policies is also unclear, particularly as there is limited overlap between D&O and cyber coverage. D&O exposures tend to be less direct, such as claims against directors for breach of duty in respect of cyber security failings, or shareholder claims following reduction in stock values as the result of a large data breach. These are essentially ‘standard’ D&O claims merely set against a background of a cyber incident – so the argument for the market providing affirmative cover may be a stronger one. That, however, has yet to be determined.

What should you do?

The message at present is to ‘be prepared’. The approach being taken by insurers will change how cyber risks are covered – or not covered – under existing insurance programmes. Some insurers have begun to take steps already. That means policyholders will need to carefully review their current policies alongside their broker and examine any exclusion proposed, to ensure that they are fully understood and not overly broad. In many cases, a standalone cyber policy may be the best solution to ensure coverage and fill gaps resulting from a silent cyber exclusion.