Insurers Take Steps to Reduce Silent Cyber Exposure
As cyber risks continue to proliferate, issues concerning coverage for those exposures under non-cyber or "traditional" property and casualty policies are creating uncertainty for both the insurance industry and for policyholders. In response, insurers are taking steps to provide more clarity around these issues, including the introduction of new absolute and limited cyber exclusions.
Recent Policy Changes
Spurred on by a mandate from the UK Prudential Regulation Authority to either affirmatively cover or exclude cyber acts (malicious acts) and cyber incidents (accidental or operational error) by January 1, 2020, two UK insurance industry associations have released new cyber exclusions to eliminate or substantially limit potential coverage for cyber-related claims.
In November 2019, the Lloyd's Market Association issued two exclusion for property policies, although they can be utilized in other forms as well. The first, LMA 5400, excludes coverage for any loss arising out of a cyber act or a cyber incident, but contains a carve out for ensuing fire or explosion from a cyber incident only. All other resultant damage from a cyber act or incident is excluded. There is coverage for the cost of repair or replacement of damaged data processing media and the cost of copying data from backups or from originals of a previous generation. The exclusion states:
Notwithstanding any provision to the contrary within this Policy or any endorsement thereto this Policy excludes any:
1.1 Cyber Loss, unless subject to the provisions of paragraph 2;
1.2 loss, damage, liability, claim, cost, expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with any loss of use, reduction in functionality, repair, replacement, restoration or reproduction of any Data, including any amount pertaining to the value of such Data, unless subject to the provisions of paragraph 3; regardless of any other cause or event contributing concurrently or in any other sequence thereto.
2 Subject to all the terms, conditions, limitations and exclusions of this Policy or any endorsement thereto, this Policy covers physical loss or physical damage to property insured under this Policy caused by any ensuing fire or explosion which directly results from a Cyber Incident, unless that Cyber Incident is caused by, contributed to by, resulting from, arising out of or in connection with a Cyber Act including, but not limited to, any action taken in controlling, preventing, suppressing or remediating any Cyber Act.
3 Subject to all the terms, conditions, limitations and exclusions of this Policy or any endorsement thereto, should Data Processing Media owned or operated by the Insured suffer physical loss or physical damage insured by this Policy, then this Policy will cover the cost to repair or replace the Data Processing Media itself plus the costs of copying the Data from back-up or from originals of a previous generation. These costs will not include research and engineering nor any costs of recreating, gathering or assembling the Data. If such media is not repaired, replaced or restored the basis of valuation shall be the cost of the blank Data Processing Media. However, this Policy excludes any amount pertaining to the value of such Data, to the Insured or any other party, even if such Data cannot be recreated, gathered or assembled.
4 In the event any portion of this endorsement is found to be invalid or unenforceable, the remainder shall remain in full force and effect.
5 This endorsement supersedes and, if in conflict with any other wording in the Policy or any endorsement thereto having a bearing on Cyber Loss, Data or Data Processing Media, replaces that wording.
DEFINITIONS
6 Cyber Loss means any loss, damage, liability, claim, cost or expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with any Cyber Act or Cyber Incident including, but not limited to, any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident.
7 Cyber Act means an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.
8 Cyber Incident means:
8.1 any error or omission or series of related errors or omissions involving access to, processing of, use of or operation of any Computer System; or
8.2 any partial or total unavailability or failure or series of related partial or total unavailability or failures to access, process, use or operate any Computer System.
9 Computer System means:
9.1 any computer, hardware, software, communications system, electronic device (including, but not limited to, smart phone, laptop, tablet, wearable device), server, cloud or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facility, owned or operated by the Insured or any other party.
10 Data means information, facts, concepts, code or any other information of any kind that is recorded or transmitted in a form to be used, accessed, processed, transmitted or stored by a Computer System.
11 Data Processing Media means any property insured by this Policy on which Data can be stored but not the Data itself.
The second exclusion, LMA 5401, is an "absolute" exclusion that bars coverage for both malicious cyber acts and non-malicious cyber incidents, with no carve out. There is no coverage for repair or replacement of data or for data loss caused by any physical peril. That exclusion provides in relevant part:
1. Notwithstanding any provision to the contrary within this Policy or any endorsement thereto this Policy excludes any:
1.1 Cyber Loss;
1.2 loss, damage, liability, claim, cost, expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with any loss of use, reduction in functionality, repair, replacement, restoration or reproduction of any Data, including any amount pertaining to the value of such Data;
regardless of any other cause or event contributing concurrently or in any other sequence thereto.
2 In the event any portion of this endorsement is found to be invalid or unenforceable, the remainder shall remain in full force and effect.
3 This endorsement supersedes and, if in conflict with any other wording in the Policy or any endorsement thereto having a bearing on Cyber Loss or Data, replaces that wording.
The International Underwriting Association of London also released two exclusions, an absolute and a limited cyber loss exclusion. The Cyber Loss Absolute Exclusion Clause, IUA 01-081, provides:
1. Notwithstanding any provision to the contrary within this contract, this contract excludes any Cyber Loss.
2. Cyber Loss means any loss, damage, liability, expense, fines or penalties or any other amount directly or indirectly caused by:
2.1 the use or operation of any Computer System or Computer Network;
2.2 the reduction in or loss of ability to use or operate any Computer System, Computer Network or Data;
2.3 access to, processing, transmission, storage or use of any Data;
2.4 inability to access, process, transmit, store or use any Data;
2.5 any threat of or any hoax relating to 2.1 to 2.4 above;
2.6 any error or omission or accident in respect of any Computer System, Computer Network or Data.
3. Computer System means any computer, hardware, software, application, process, code, programme, information technology, communications system or electronic device owned or operated by the Insured or any other party. This includes any similar system and any associated input, output or data storage device or system, networking equipment or back up facility.
4. Computer Network means a group of Computer Systems and other electronic devices or network facilities connected via a form of communications technology, including the internet, intranet and virtual private networks (VPN), allowing the networked computing devices to exchange Data.
5. Data means information used, accessed, processed, transmitted or stored by a Computer System.
6. When this clause forms part of a reinsurance contract, Insured shall be amended to read Original Insured. (bolding added)
IUA 09-082, the Cyber Loss Limited Exclusion Clause, is identical to the Absolute Exclusion Clause except that it does not contain the words "and indirectly" in Paragraph 2.
Individual insurers are also taking steps to address silent cyber exposures. Allianz and AIG, for example, announced initiatives to either affirmatively cover or exclude physical and non-physical cyber exposures across traditional policies. Over the past several years, the Insurance Services Office (ISO) also has issued cyber exclusions for various lines of traditional policies.
As the pace and severity of cyber risks continue to create wreak havoc for enterprises across every industry vertical, we can expect to see more insurers take steps to address related coverage concerns and channel those exposures to dedicated cyber policies.