Model Cyber Exclusions Provide Basis for Industry Coverages

15 July 2019

London's company market trade body, the International Underwriting Association (IUA), has published model cyber exclusions to be applied to traditional property and casualty policies. Such moves should provide the foundations for more industry-specific affirmative cyber cover.

In June, the IUA released two new London market model clauses to help underwriters manage cyber losses. The wordings were developed to address non-affirmative coverage (also known as silent cyber) in traditional insurance policies.

Most traditional insurance policies were designed before cyber emerged as a major risk, and often do not explicitly mention cyber. As a result, it is often unclear how a traditional policy might respond to a cyber loss, while wordings may not always reflect the intentions of underwriters.

Silent cyber has been a hot topic in the London market for some time. It causes uncertainty for both insurers and clients, and has become a focus of regulators in recent months and years. Global malware attacks in 2017, for example, resulted in a number of claims against commercial property insurance policies, some of which resulted in coverage disputes and litigation.

Insurance regulators and ratings agents are putting insurers under pressure to better manage silent cyber exclusions. The UK’s Prudential Regulatory Authority (PRA) and Financial Conduct Authority, in particular, have called upon UK insurers to proactively tackle silent cyber in traditional insurance lines.

The PRA’s Supervisory Statement (SS4/17) in July 2017 – reiterated in a letter to the chief executives in January 2019 – urged insurers to actively manage their exposures by considering adjustments to premiums, robust wording exclusions, and specific limits of cover.

Subscribe to our latest News & Insights Sign up to our latest  news & insights

Many of the large international property/ casualty insurers have been reviewing policies to address silent cyber. In some cases, such as with Allianz and AIG, carriers have publicly committed to move towards affirmative cover, either through extensions or standalone cyber insurance.

FM Global recently introduced lower sublimits for cyber cover under its property insurance, and has revised policy wordings to address silent cyber.

Model Exclusions

The IUA’s two new model wordings are intended to act as catch-all exclusions. The Cyber Loss Absolute Exclusion Clause (IUA 09-081) was developed to provide underwriters with a tool to exclude “in the broadest possible manner, any loss, whether malicious or otherwise, arising out of the use of (or inability to use)” a computer system, network or data – each of which is clearly defined.

The Cyber Loss Limited Exclusion Clause (IUA 09-082) differs in that it excludes only losses directly caused by cyber events, rather than “directly or indirectly”, which ties the proximate cause within the wording to a cyber event.

The model exclusions, which are applied on a voluntary basis, should give a greater degree of clarity to cyber cover under property and casualty policies. They should also stimulate wider discussion on how the market can provide affirmative cyber cover by sector or class of business.

Notably, the IUA says the two model clauses are “a starting or reference point for insurers providing non-standalone cyber coverage, and, through the development of class-specific write backs, allow insurers to explicitly state the extent of cover provided for any cyber loss”.

This suggests insurers are moving in the right direction. However, clients should be cautious of accepting these blanket cyber exclusions without considering modifications or buybacks.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article