New Restrictions on RICS Minimum Terms - the Sound of Silent Cyber

From 1 January 2021, Lloyd’s syndicates were required by regulators to clarify their position on ‘silent cyber’ in professional indemnity insurance (PII) and directors’ and officers’ (D&O) policies.

This has resulted in all PII insurers looking to apply new exclusions, which have been mirrored in the updated RICS minimum terms. We discuss those terms and their impact below, but the ultimate outcome is reduced cover under PII policies for cyber-related exposures. As a result it will be more important than ever to consider whether a separate cyber insurance policy is required, and to ensure that appropriate cover is maintained.

What is ‘Silent Cyber’?

The development of technology, and the world’s reliance on data, has led to an expanding scope of cyber exposures faced by policyholders and insurers alike. Some of these risks are obvious, but many are not – and certainly wouldn’t have been when many traditional insurance policy wordings were originally developed.

‘Silent cyber’ is the term used to describe potential cyber exposures within these traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in coverage which may be ambiguous, resulting in an increased risk of disputes between policyholders and insurers, and cover not matching policyholder expectations. From a regulatory standpoint, underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided.

Lloyd’s of London, insurers and regulators have become concerned that silent cyber may represent an unexpected risk to insurers’ portfolios, with large unintended aggregate cyber exposures. As a result, first the Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) have required insurers to put action plans in place to reduce those unintended or unclear exposures.  Lloyd’s of London has mandated that all policies underwritten by Lloyd’s syndicates should provide clarity regarding cyber coverage by either excluding it, or providing affirmative coverage. Company markets are also following suit, both for consistency (as many also operate a Lloyd’s syndicate) and driven by comments from regulators.

The changes have been introduced in a number of phases, with the phase including PII and other liability policies commencing on 1 January 2021.

How has the phased roll-out been progressing?

Excluding or affirming cyber cover sounds simple in theory. However in practice it has been far from plain sailing.

Given the mandate and the short timeline provided by Lloyd’s, the response of insurers was generally to exclude rather than to confirm cover. From insurers’ perspective this was sensible, as they were wary of confirming cover where they had not yet fully understood their exposures. However there was initially little centralised alignment or control - Lloyd’s did not itself provide a definitive clause, or approve any particular market clause.

Latterly, however, the insurance market has broadly aligned behind model clauses developed by the Lloyd’s Market Association (LMA) and the International Underwriting Association (IUA) respectively. These are both market bodies that insurers often follow.

How has RICS responded?

To reflect this market shift, RICS has made certain changes to the Approved Minimum Wording which came into effect on 1 April 2021. Those changes involve the addition of three new exclusions:

RICS’ express position is that “the changes do not restrict the cover provided in PII policies”. That does appear to be the case for the most part. Certainly it is not the intent to provide cover under a PII policy for the insured’s own costs under (ii) above. The system failure exclusion also does not apply to the extent the claim alleges a breach of duty in the performance of professional business – which is of course the basis for third party claims in a professional context.

That said, there is some potential for the exclusions to restrict the cover otherwise available. The computer virus exclusion at (i) is not subject of any ‘breach of duty’ protections, and so would apply where the alleged transmission was part of a negligence claim against the firm. The exclusions at (i) and (iii) might also apply to the Statutory Liabilities cover, as those covered claims are regulatory in nature and/or based directly on breach of statute independently of the professional business relationship. These are, however, likely to be relatively isolated incidents and cover is in any event sub-limited to GBP 250,000.

What is the position on insurance in excess of the Minimum Terms?

On insurance cover in excess of the Approved Minimum Wording, insurers are applying the LMA, particularly the IUA model clauses. These are much broader exclusions than the RICS language. They refer to similar cyber incidents, but operate more generally to exclude any third party claims that might arise as a result – without any protections where the claim alleges breach of duty in performance of professional business. So the IUA clause excludes:

This means they operate to materially restrict cover and exclude a range of cyber-related claims which might previously have been insured. Most obviously this would include claims by clients following a data breach or other unauthorised access to their data.

These are instead liabilities that as a result of the ‘silent cyber’ review, insurers now consider should be covered separately under cyber insurance policies. The intent is that specific cyber insurance policies are now the core ‘home’ for all cyber-related exposures – both first party costs and third party liabilities. Indeed the exposures discussed above are at the heart of the cover provided by those policies.

That said, there are likely to remain wrinkles as the market position works its way through. Policyholders will need to be aware of what exposures they retain. For example, the IUA clause currently seeks to exclude cover for liability arising from system failures - but that is not cover generally available in the cyber market either. We expect there to be limited scenarios where a system failure results directly in a client claim (without some intervening act bringing the claim back within scope of the PII cover) – but that cannot be ruled out.