New Restrictions on RICS Minimum Terms - the Sound of Silent Cyber
14 September 2021
From 1 January 2021, Lloyd’s syndicates were required by regulators to clarify their position on ‘silent cyber’ in professional indemnity insurance (PII) and directors’ and officers’ (D&O) policies.
This has resulted in all PII insurers looking to apply new exclusions, which have been mirrored in the updated RICS minimum terms. We discuss those terms and their impact below, but the ultimate outcome is reduced cover under PII policies for cyber-related exposures. As a result it will be more important than ever to consider whether a separate cyber insurance policy is required, and to ensure that appropriate cover is maintained.
What is ‘Silent Cyber’?
The development of technology, and the world’s reliance on data, has led to an expanding scope of cyber exposures faced by policyholders and insurers alike. Some of these risks are obvious, but many are not – and certainly wouldn’t have been when many traditional insurance policy wordings were originally developed.
‘Silent cyber’ is the term used to describe potential cyber exposures within these traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in coverage which may be ambiguous, resulting in an increased risk of disputes between policyholders and insurers, and cover not matching policyholder expectations. From a regulatory standpoint, underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided.
Lloyd’s of London, insurers and regulators have become concerned that silent cyber may represent an unexpected risk to insurers’ portfolios, with large unintended aggregate cyber exposures. As a result, first the Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) have required insurers to put action plans in place to reduce those unintended or unclear exposures. Lloyd’s of London has mandated that all policies underwritten by Lloyd’s syndicates should provide clarity regarding cyber coverage by either excluding it, or providing affirmative coverage. Company markets are also following suit, both for consistency (as many also operate a Lloyd’s syndicate) and driven by comments from regulators.
The changes have been introduced in a number of phases, with the phase including PII and other liability policies commencing on 1 January 2021.
How has the phased roll-out been progressing?
Excluding or affirming cyber cover sounds simple in theory. However in practice it has been far from plain sailing.
Given the mandate and the short timeline provided by Lloyd’s, the response of insurers was generally to exclude rather than to confirm cover. From insurers’ perspective this was sensible, as they were wary of confirming cover where they had not yet fully understood their exposures. However there was initially little centralised alignment or control - Lloyd’s did not itself provide a definitive clause, or approve any particular market clause.
Latterly, however, the insurance market has broadly aligned behind model clauses developed by the Lloyd’s Market Association (LMA) and the International Underwriting Association (IUA) respectively. These are both market bodies that insurers often follow.
How has RICS responded?
To reflect this market shift, RICS has made certain changes to the Approved Minimum Wording which came into effect on 1 April 2021. Those changes involve the addition of three new exclusions:
An exclusion of any claim directly arising from the receipt or transmission of a computer virus by the insured (or any party acting on behalf of the insured);
An exclusion of any loss or costs incurred by the insured in identifying, containing and/or remedying a ‘Cyber Act’ or in complying with any resulting notification obligations.
A ‘Cyber Act’ for these purposes means damage to computer programs or electronic data caused by an unauthorised, malicious or criminal act involving access to or use of a computer system – the core example being hacking or phishing attacks.
|(iii)||An exclusion of any claim directly arising from computer system failure or internet/cloud services failure, i.e.:|
|a.||partial or total unavailability of the insured’s computer system; or|
|failure or interruption of service provided by an internet, telecoms or cloud services provider, or a utility provider (the latter only where it impacts the insured’s computer system or the system of a party acting on the insured’s behalf).|
|Importantly this limb does not apply to any claim arising out of a breach of duty in the performance of professional business.|
RICS’ express position is that “the changes do not restrict the cover provided in PII policies”. That does appear to be the case for the most part. Certainly it is not the intent to provide cover under a PII policy for the insured’s own costs under (ii) above. The system failure exclusion also does not apply to the extent the claim alleges a breach of duty in the performance of professional business – which is of course the basis for third party claims in a professional context.
That said, there is some potential for the exclusions to restrict the cover otherwise available. The computer virus exclusion at (i) is not subject of any ‘breach of duty’ protections, and so would apply where the alleged transmission was part of a negligence claim against the firm. The exclusions at (i) and (iii) might also apply to the Statutory Liabilities cover, as those covered claims are regulatory in nature and/or based directly on breach of statute independently of the professional business relationship. These are, however, likely to be relatively isolated incidents and cover is in any event sub-limited to GBP 250,000.
What is the position on insurance in excess of the Minimum Terms?
On insurance cover in excess of the Approved Minimum Wording, insurers are applying the LMA, particularly the IUA model clauses. These are much broader exclusions than the RICS language. They refer to similar cyber incidents, but operate more generally to exclude any third party claims that might arise as a result – without any protections where the claim alleges breach of duty in performance of professional business. So the IUA clause excludes:
- Any third party claims or other loss directly arising from a Cyber Act (as above), the insured’s computer system failure, or the receipt or transmission of a computer virus.
- Any third party claims or other loss directly or indirectly arising from failure or interruption of service provided by an internet, telecoms or cloud services provider, or a utility provider (the latter only where it impacts the insured’s computer system or the system of a party acting on the insured’s behalf).
- Any third party claims or other loss for an actual or alleged breach of data protection laws by the insured or others acting on the insured’s behalf.
- Any costs in reconstituting or recovering lost or damaged documents / data.
This means they operate to materially restrict cover and exclude a range of cyber-related claims which might previously have been insured. Most obviously this would include claims by clients following a data breach or other unauthorised access to their data.
These are instead liabilities that as a result of the ‘silent cyber’ review, insurers now consider should be covered separately under cyber insurance policies. The intent is that specific cyber insurance policies are now the core ‘home’ for all cyber-related exposures – both first party costs and third party liabilities. Indeed the exposures discussed above are at the heart of the cover provided by those policies.
That said, there are likely to remain wrinkles as the market position works its way through. Policyholders will need to be aware of what exposures they retain. For example, the IUA clause currently seeks to exclude cover for liability arising from system failures - but that is not cover generally available in the cyber market either. We expect there to be limited scenarios where a system failure results directly in a client claim (without some intervening act bringing the claim back within scope of the PII cover) – but that cannot be ruled out.
What should you do?
Policyholders will need to carefully review their current policies alongside their broker and examine any exclusion proposed, to ensure that they are fully understood and not overly broad. In many cases, a standalone cyber policy may be the best solution to ensure coverage and fill gaps resulting from a silent cyber exclusion.