London's company market trade body, the International Underwriting Association (IUA), has published model cyber exclusions to be applied to traditional property and casualty policies. Such moves should provide the foundations for more industry-specific affirmative cyber cover.
In June, the IUA released two new London market model clauses to help underwriters manage cyber losses. The wordings were developed to address non-affirmative coverage (also known as silent cyber) in traditional insurance policies.
Most traditional insurance policies were designed before cyber emerged as a major risk, and often do not explicitly mention cyber. As a result, it is often unclear how a traditional policy might respond to a cyber loss, while wordings may not always reflect the intentions of underwriters.
Silent cyber has been a hot topic in the London market for some time. It causes uncertainty for both insurers and clients, and has become a focus of regulators in recent months and years. Global malware attacks in 2017, for example, resulted in a number of claims against commercial property insurance policies, some of which resulted in coverage disputes and litigation.
Insurance regulators and ratings agents are putting insurers under pressure to better manage silent cyber exclusions. The UK’s Prudential Regulatory Authority (PRA) and Financial Conduct Authority, in particular, have called upon UK insurers to proactively tackle silent cyber in traditional insurance lines.
The PRA’s Supervisory Statement (SS4/17) in July 2017 – reiterated in a letter to the chief executives in January 2019 – urged insurers to actively manage their exposures by considering adjustments to premiums, robust wording exclusions, and specific limits of cover.
Many of the large international property/ casualty insurers have been reviewing policies to address silent cyber. In some cases, such as with Allianz and AIG, carriers have publicly committed to move towards affirmative cover, either through extensions or standalone cyber insurance.
FM Global recently introduced lower sublimits for cyber cover under its property insurance, and has revised policy wordings to address silent cyber.
The IUA’s two new model wordings are intended to act as catch-all exclusions. The Cyber Loss Absolute Exclusion Clause (IUA 09-081) was developed to provide underwriters with a tool to exclude “in the broadest possible manner, any loss, whether malicious or otherwise, arising out of the use of (or inability to use)” a computer system, network or data – each of which is clearly defined.
The Cyber Loss Limited Exclusion Clause (IUA 09-082) differs in that it excludes only losses directly caused by cyber events, rather than “directly or indirectly”, which ties the proximate cause within the wording to a cyber event.
The model exclusions, which are applied on a voluntary basis, should give a greater degree of clarity to cyber cover under property and casualty policies. They should also stimulate wider discussion on how the market can provide affirmative cyber cover by sector or class of business.
Notably, the IUA says the two model clauses are “a starting or reference point for insurers providing non-standalone cyber coverage, and, through the development of class-specific write backs, allow insurers to explicitly state the extent of cover provided for any cyber loss”.
This suggests insurers are moving in the right direction. However, clients should be cautious of accepting these blanket cyber exclusions without considering modifications or buybacks.