In July 2019, Lloyd's mandated that all insurance policies must be clear on whether coverage is provided for losses caused by a cyber-event. This clarity was deemed in the best interests of insureds, brokers and insurers. The mandate requires that all policies either exclude cyber coverage or provide affirmative coverage.
To support the market in making the necessary changes, this requirement is being implemented using a phased approach. As part of this roll-out, Lloyd's Professional Indemnity Insurance (PII) policies placed from 1 January 2021 must be met with a cyber-liability endorsement, which either affirms or excludes cyber losses.
In late 2019, the International Underwriting Associations' (IUA) Professional Indemnity Forum (PIF) created a working group in order to consider how cyber risks are treated within PII policies. The default IUA cyber clause, which is being used by a large number of insurers, does meet the requirements of the Lloyd's mandate. In general terms, it reflects the market feedback obtained by the wording group as to where cyber losses should sit, i.e. under a PII policy or a cyber-policy.
Having said that, it is important to understand the proposed clause as well as its implications well in advance of renewal so that you can prepare accordingly.
The IUA clause in its unaltered form is as follows:
- This endorsement takes priority over any other provision in this contract.
- Save as expressly provided in this endorsement, or by other restrictions in this contract specifically relating to the use of, or inability to use, a Computer System, no cover otherwise provided under this contract shall be restricted solely due to the use of, or inability to use, a Computer System.
- This contract excludes any loss, damage, liability, claim, costs, expense, fines, penalties, mitigation costs or any other amount directly caused by, directly resulting from or directly arising out of: a) a Cyber Act; or b) any partial or total unavailability or failure of any Computer System; provided the Computer System is owned or controlled by the insured or any other party acting on behalf of the insured in either case; or c) the receipt or transmission of malware, malicious code or similar by the insured or any other party acting on behalf of the insured.
- This contract excludes any loss, damage, liability, claim, costs, expense, fines, penalties, mitigation costs or any other amount directly or indirectly caused by, directly or indirectly resulting from or directly or indirectly arising out of any failure or interruption of service provided: a) to the insured or any other party acting on behalf of the insured by an internet service provider, telecommunications provider or cloud provider but not including the hosting of hardware and software owned by the insured; b) by any utility provider, but only where such failure or interruption of service impacts a Computer System owned or controlled by the insured or any other party acting on behalf of the insured.
- This contract excludes any loss, damage, liability, claim, costs, expense, fines, penalties, mitigation costs or any other amount for actual or alleged breach of Data Protection Law by the insured or any other party acting on behalf of the insured.
- Any cover for costs of reconstituting or recovering lost, inaccessible or damaged documents owned or controlled by the insured or any other party acting on behalf of the insured in this contract shall not apply to Data.
For the purposes of this endorsement the following definitions apply:
Computer System means any computer, hardware, software, communications system, electronic device (including, but not limited to, smart phone, laptop, tablet, wearable device), server, cloud or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facility.
Cyber Act means an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof, involving access to, processing of, use of or operation of any Computer System.
Data means information, facts, concepts, code or any other information of any kind that is recorded or transmitted in a form to be used, accessed, processed, transmitted or stored by a Computer System.
Data Protection Law means any applicable data protection and privacy legislation or regulations in any country, province, state, territory or jurisdiction which govern the use, confidentiality, integrity, security and protection of personal data or any guidance or codes of practice relating to personal data issued by any data protection regulator or authority from time to time (all as amended, updated or re-enacted from time to time)
Given the above, it is likely that some cyber losses previously met under your PII policy will no longer be covered. For the most part, these excluded losses could be met under a standalone cyber policy (with technology errors and omissions cover where appropriate). Particular scrutiny should be given to limit of cover in any cyber policy.
If you choose not to purchase a cyber-liability policy alongside your PII, it is important to check that you are not losing out on important coverage. Your broker should be able to explain the key elements of coverage within your PII policy that will be affected and it would be prudent to assess these in good time. Civil liability policies will largely be affected by this change, but the approach and solution will differ depending upon the insured, the PII policy wording and attitude towards cyber liability exposures.
Please contact your Lockton Account Executive for more information and to discuss what this change may mean to you.