Silent Cyber

Published: Tuesday, 14 December 2021

It is not always clear what cyber cover is included in many PI policies

Are your cyber risks adequately covered?

With most companies running completely paperless and more of us working remotely (especially since Covid), we have come rely almost entirely on technology to run our businesses. We store our business and client data, both personal and financial information electronically, we transact electronically, and we communicate electronically.

This has given rise to an increase in cyber related crime leading to a closer scrutiny of traditional liability policies and the extent to which they provide protection for policyholders and increase exposure to insurers.

What is Silent Cyber?

Many traditional Professional Indemnity insurance policies do not implicitly include or exclude cyber risks leaving it unclear whether cover is provided, what or how much cover is provided and what specifically is excluded. This potential cyber exposure is what is referred to as ‘silent cyber’ (or non-affirmative cover).

Why is this a problem?

The ambiguity of what is and isn’t covered is a problem for both the policy holder and the insurer.

For the policy holder, where there is a lack of clarity, there may be an assumption that cover is provided when it is not. If a cyber incident occurred, they would be without cover.

From an insurers point of view, it leaves them open to exposures not intentionally underwritten nor priced for, negatively affecting their portfolio.

How have the insurance regulators responded?

The Prudential Regulatory Authority (PRA) and Lloyd’s of London placed a requirement on insurers to reduce unintended cyber exposure.

Lloyd’s of London mandated that from 1st January 2021, all policies underwritten by Lloyd’s syndicates should clarify cyber coverage by either providing affirmative cover or excluding it altogether. This has been extended to 1st October 2021 for professional indemnity insurers providing cover to regulated professions.

To help insurer meet the deadline, Lloyds Market Association (LMA) and the International Underwriting Association (IUA) created model endorsements for insurers to use. These seek to restrict or exclude cover for cyber related claims which otherwise may have been deemed to be included within a liability policy.

How has the ICAEW responded?

The ICAEW made changes to its approved minimum wording to reflect this change in the insurance market, this came into effect from 1st September 2021. They have effectively used the IUA’s model clause wording but with stipulation that the exclusions only apply to ‘relevant first party loss’ (i.e. the insured’s own internal costs), thus preserving most of the cover for third party claims, ombudsman awards and defence costs.

How have the Insurers responded?

Most insurers have adopted a version of the model endorsements provided by the IUA with slight variations in terminology in order to fit their own policy wordings. Where there is a wider coverage requirement, as with the ICAEW or other regulators then this will be picked up by the insurer by way of a Difference in Condition clause.

Should you consider a separate cyber policy?

Some professions, such as accountants and lawyers hold a significant amount of client data and/or money and therefore are particularly targeted by cyber criminals. SMEs are also a target as security is often not as sophisticated as some of the larger firms and therefore systems are more easily penetrated.

With Professional Indemnity insurers looking to restrict or exclude cyber cover, and with cybercrime on the increase, it makes sense to consider a standalone cyber policy to fill the gaps in cover left by the more traditional lines of insurance, ensuring that your business is adequately protected.