Silent Cyber & Professional Services Exclusions – Mind the Gap

It is not easy for financial institutions (FIs) and professions to marry their Professional

Indemnity (PI) and Cyber insurance programmes, and it is only getting tougher.

As PI and Cyber markets retreat behind their respective ‘Cyber’ and ‘Professional

Services’ exclusions, insureds need to be wary of falling into an emerging gap in the

middle.

In the halcyon days of a soft market, PI insurers were comfortable providing fairly

extensive cover for cyber risks within the main insuring cover (so-called ‘silent cyber’

cover) for FI and professional insureds. Similarly, Cyber insurers, whose policies

traditionally sat in excess of the PI policy, had moved towards providing cover for

professional risks (‘hidden PI’) through the application of ‘Difference in Conditions’

(DIC) clauses.

This laissez-faire approach reflected the reality of a cross-over of risk, particularly

third-party liability risk, when an insured, in performing its professional service and/

or meeting its professional duties, uses and relies upon its IT systems and networks.

But now winter is here, and the bitter winds of the hard market hold sway, PI and

Cyber insurers have sought to hide behind their exclusionary walls.

Since the start of this year, PI insurers in the Lloyd’s market have been required to

specify whether their policy does or does not respond to certain Cyber risks. Rather

than providing affirmative cover (i.e. confirming that insured risks are not excluded

simply because they have a cyber element), many PI insurers have used this as an

opportunity to apply what are, in fact, broad Cyber exclusions such as IUA04-017.

These exclusions can, through their causation language, not only exclude first and

third party losses caused by the cyber incident but also potentially (presumably,

inadvertently) undermine core cover for insureds where the cyber incident is only

remotely connected to the loss.

Cyber underwriters, who have not priced hefty PI exposures into their policies, are

worried that any liability cover which has been lost under the PI policy through the

Cyber exclusion will end up tumbling into their Cyber policy (especially if there has

been a DIC clause linking the two policies). In response, the Cyber market is seeking

to apply broadly worded Professional Services exclusions.

There is nothing wrong with having a clear delineation between PI and Cyber.

What would be wrong, however, is for insureds to lose out on cover altogether

when it had previously been offered under one or even both policies. We now

have a situation where a PI insurer can take advantage of broadly worded Cyber

exclusions to exclude a loss as Cyber under its policy, while a Cyber insurer, relying

upon a broadly worded Professional Services exclusion, points the insured back in

the other direction, telling them it is a PI loss and therefore excluded under its Cyber

policy.

The PRA and Lloyd’s no doubt had good intentions in requiring insurers to identify

their Silent Cyber exposures. The danger for insureds, however, is that the path to

no cover is paved with such good intentions.

Does this issue affect only PI and Cyber?

No, Lloyd’s has mandated that its members should consider their position across

numerous lines of business, and this issue is, therefore, a multi-headed hydra. In the

same way that insurers must assess their cyber exposures across all lines of business,

it pays for insureds to take a parallel approach.

What can insureds do to avoid the gap?

1. Identify and map out precisely where cyber risks are covered under existing

insurance programmes (across all lines of business). This will highlight any

potential duplication of cover and where new exclusions may cause problems.

Forewarned is forearmed.

2. Push back against the Silent Cyber exclusions wherever they pop up on any

programme. The Lloyd’s and PRA requirements on Silent Cyber oblige insurers

to ascertain their Cyber exposures – they do not require insurers to stop writing

the risk. What is wrong with affirmative cover? The PI (and other non-Cyber)

insurers were writing this risk before – has anything really changed?

3. Even if a Cyber exclusion is coming, seek to amend the language. Don’t just

accept IUA04-017 or equivalents on other lines of business as a given. Small

changes to the causation language can make a very significant difference to what

is being excluded and protect core cover under the non-Cyber policy.

4. In the context of PI, check carefully how the language of the Cyber exclusion on

the PI policy and any Professional Services exclusion Cyber insurers are seeking

to apply fit together. Co-ordination is key here, and mismatch is the enemy. This

requires careful review and consideration. Small discrepancies in the wordings

can have big ramifications in terms of loss of cover.