Silent Cyber & Professional Services Exclusions – Mind the Gap
It is not easy for financial institutions (FIs) and professions to marry their Professional
Indemnity (PI) and Cyber insurance programmes, and it is only getting tougher.
As PI and Cyber markets retreat behind their respective ‘Cyber’ and ‘Professional
Services’ exclusions, insureds need to be wary of falling into an emerging gap in the
middle.
In the halcyon days of a soft market, PI insurers were comfortable providing fairly
extensive cover for cyber risks within the main insuring cover (so-called ‘silent cyber’
cover) for FI and professional insureds. Similarly, Cyber insurers, whose policies
traditionally sat in excess of the PI policy, had moved towards providing cover for
professional risks (‘hidden PI’) through the application of ‘Difference in Conditions’
(DIC) clauses.
This laissez-faire approach reflected the reality of a cross-over of risk, particularly
third-party liability risk, when an insured, in performing its professional service and/
or meeting its professional duties, uses and relies upon its IT systems and networks.
But now winter is here, and the bitter winds of the hard market hold sway, PI and
Cyber insurers have sought to hide behind their exclusionary walls.
Since the start of this year, PI insurers in the Lloyd’s market have been required to
specify whether their policy does or does not respond to certain Cyber risks. Rather
than providing affirmative cover (i.e. confirming that insured risks are not excluded
simply because they have a cyber element), many PI insurers have used this as an
opportunity to apply what are, in fact, broad Cyber exclusions such as IUA04-017.
These exclusions can, through their causation language, not only exclude first and
third party losses caused by the cyber incident but also potentially (presumably,
inadvertently) undermine core cover for insureds where the cyber incident is only
remotely connected to the loss.
Cyber underwriters, who have not priced hefty PI exposures into their policies, are
worried that any liability cover which has been lost under the PI policy through the
Cyber exclusion will end up tumbling into their Cyber policy (especially if there has
been a DIC clause linking the two policies). In response, the Cyber market is seeking
to apply broadly worded Professional Services exclusions.
There is nothing wrong with having a clear delineation between PI and Cyber.
What would be wrong, however, is for insureds to lose out on cover altogether
when it had previously been offered under one or even both policies. We now
have a situation where a PI insurer can take advantage of broadly worded Cyber
exclusions to exclude a loss as Cyber under its policy, while a Cyber insurer, relying
upon a broadly worded Professional Services exclusion, points the insured back in
the other direction, telling them it is a PI loss and therefore excluded under its Cyber
policy.
The PRA and Lloyd’s no doubt had good intentions in requiring insurers to identify
their Silent Cyber exposures. The danger for insureds, however, is that the path to
no cover is paved with such good intentions.
Does this issue affect only PI and Cyber?
No, Lloyd’s has mandated that its members should consider their position across
numerous lines of business, and this issue is, therefore, a multi-headed hydra. In the
same way that insurers must assess their cyber exposures across all lines of business,
it pays for insureds to take a parallel approach.
What can insureds do to avoid the gap?
1. Identify and map out precisely where cyber risks are covered under existing
insurance programmes (across all lines of business). This will highlight any
potential duplication of cover and where new exclusions may cause problems.
Forewarned is forearmed.
2. Push back against the Silent Cyber exclusions wherever they pop up on any
programme. The Lloyd’s and PRA requirements on Silent Cyber oblige insurers
to ascertain their Cyber exposures – they do not require insurers to stop writing
the risk. What is wrong with affirmative cover? The PI (and other non-Cyber)
insurers were writing this risk before – has anything really changed?
3. Even if a Cyber exclusion is coming, seek to amend the language. Don’t just
accept IUA04-017 or equivalents on other lines of business as a given. Small
changes to the causation language can make a very significant difference to what
is being excluded and protect core cover under the non-Cyber policy.
4. In the context of PI, check carefully how the language of the Cyber exclusion on
the PI policy and any Professional Services exclusion Cyber insurers are seeking
to apply fit together. Co-ordination is key here, and mismatch is the enemy. This
requires careful review and consideration. Small discrepancies in the wordings
can have big ramifications in terms of loss of cover.
CPCU, FCIArb, Partner, Global Co-Head of Insurance - On Garden Leave
2yA good summary of a very topical issue - with your usual references to the Classics