A great deal of uncertainty has recently grown as property risks now cover some cyber risk as a result of brokers pushing for increased cover as cyber risk has become more prevalent. This is generally referred to as silent cyber.
According to the JLT Specialty website, silent cyber is where potential cyber exposures are contained in traditional property and liability insurance policies and may not implicitly include, or exclude, cyber risks.
In a recent Market Bulletin (4th July 2019) Lloyds says that it believes that it is in the best interests of customers, brokers and insurers for policies to be clear on whether losses caused by a cyber event are covered or not.
This follows an investigation by the Prudential Regulation Authority and a letter from them of 30th January 2019, which requested that more ground needs to be covered by firms, especially in relation to non-affirmative cyber risk management, risk appetite and strategy.
In response to this, Lloyds is mandating that all policies now provide clarity regarding cyber coverage by either excluding or providing affirmative coverage, although this requirement will be implemented on a phased basis.
The first phase applies to cover for first party property damage risks incepting on or after 1st January 2020 (regardless of whether the policy is written on an all risks or named peril basis) and requires that the policy language is explicit as to whether coverage exists or is excluded, so far as cyber risks are concerned.
The first phase covers a wide range of Lloyds business: from energy construction through to livestock, bloodstock and terrorism.
If you are a risk manager, the message is to look at your existing policies and stress test (if appropriate, with professional help) the wordings against a number of different scenarios, for example:
- Phishing: stealing confidential information by posing as an employee or client;
- Hacker attack causing service interruption;
- Ransom ware attack causing business interruption;
- Cyber-attack on industrial plant causing physical damage and business interruption;
- Hacker attack causing loss of confidential client data.
Work out what cover is already provided and what cover you would ideally wish to have, especially in light of your disaster recovery plans and corporate risk appetite. With the assistance of brokers, understand precisely what cover is being offered under your new policy wordings (after 1st January 2020) and how to address and mitigate those risks for which cover cannot be obtained (external cyber audit).
For insurers, the challenge is to decide what they clearly will and will not cover in a soft market and make sure that the wordings that they have in their policies are clear and tightly drafted to cover all anticipated cyber risks, and to avoid potentially costly misunderstandings.
Here at Jurit we have a team of lawyers who can assist you in reviewing your policy wordings and looking at your risk exposure whether you are an assured or insurer.
Please feel free to contact us if you have any queries e-mail Ben Macfarlane firstname.lastname@example.org, call Ben on 020 7846 0418 or speak to your usual Jurit contact.
Please note this paper is intended to provide general information and knowledge about legal developments and topics which may be of interest to readers. It is not a comprehensive analysis of law nor does it provide specific legal advice. Advice on the specific circumstances of a matter should be sought.