New Restrictions on ICAEW Minimum Terms – The Sound of Silent Cyber

From 1 January 2021, the insurers known as ‘Lloyd’s syndicates’ were required by regulators to clarify their position on ‘silent cyber’ in professional indemnity (PI) and directors’ and officers’ (D&O) policies. This has resulted in insurers looking to apply new exclusions, which have been mirrored in the updated ICAEW minimum terms. We discuss those terms and their impact below, but the ultimate outcome is a limited reduction in cover under those minimum terms for cyber-related exposures. As a result, it will be more important than ever to consider whether a separate cyber insurance policy is required and to ensure that appropriate cover is maintained.

What is ‘Silent Cyber’?

The development of technology, and of the world’s reliance on data, has led to an expanding scope of cyber exposures faced by policyholders and by insurers. Some of these are obvious, but many others are not – certainly when many traditional insurance policy wordings were originally developed.

‘Silent cyber’ is the term used to describe potential cyber exposures within these traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in coverage which may be ambiguous, with an increased risk of disputes between policyholders and insurers and cover not matching policyholder expectations. From a regulatory standpoint, underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided.

Lloyd’s of London, insurers and regulators have become concerned that silent cyber may represent an unexpected risk to insurers’ portfolios, with large unintended aggregate cyber exposures. As a result, first the Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019), have required insurers to put into action plans to reduce those unintended or unclear exposures.  Lloyd’s of London has mandated that all policies underwritten by Lloyd’s syndicates should provide clarity regarding cyber coverage by either excluding it, or providing affirmative coverage. Company markets are also following suit, both for consistency (as many also operate a Lloyd’s syndicate) and driven by comments from regulators.

The changes have been introduced in a number of phases, with the phase including PI and other liability policies commencing on 1 January 2021.

How has the phased roll-out been progressing?

Excluding or affirming cyber cover sounds simple in theory, however, in practice, it has been far from plain sailing.

Given the mandate and the short timeline provided by Lloyd’s, the response of insurers was generally to exclude rather than to confirm cover. From insurers’ perspective this was sensible, as they were wary of confirming cover where they had not yet fully understood their exposures. However, there was initially little centralised alignment or control - Lloyd’s did not itself provide a definitive clause, or approve any particular market clause.

Latterly, the insurance market has broadly aligned behind model clauses developed by the Lloyd’s Market Association (LMA) and the International Underwriting Association (IUA) respectively. These are both market bodies that insurers often follow.

How has the ICAEW Responded?

To reflect the market shift, the ICAEW has made certain changes to the Approved Minimum Wording which come into effect from 1 September 2021. The ICAEW has in effect applied the IUA’s model clause wording, but importantly has limited that to only exclude “relevant first party loss” i.e. the insured’s own internal costs.

This has preserved most of the existing cover for third party claims, Ombudsman awards and defence costs, even if a cyber related event forms part of the cause/s of loss claimed by the third party. However, what it has removed in that scenario is the existing cover for what are known as ‘mitigation costs’ i.e. costs in investigating, reducing, avoiding or settling a potential third party claim. This has traditionally been cover provided for legal costs and settlements incurred before a formal Claim is made, giving the insured flexibility to deal quickly and early with potential issues. The view taken was that this language potentially provided a back door for first party costs to come within cover in a cyber context, so it has therefore been removed from that perspective.

Importantly, however, this limb does not apply to any claim arising out of a breach of duty in the performance of professional business.

The ICAEW’s intention is neither to narrow nor extend cover currently found in a PI policy. Accordingly,  most of the exclusions are limited to ‘relevant first party loss’, and the interruption of services exclusion is subject to a breach of duty carve-back, so should not restrict cover otherwise found in the PI policy (as it is that breach of duty that would form the basis for the relevant claim). However, do note that the ‘interruption of services’ exclusion may restrict cover for costs incurred during regulatory investigations, as these may occur independently from the professional business relationship.

What is the position on insurance in excess of the Minimum Terms?

On insurance cover in excess of the Approved Minimum Wording, insurers are applying the LMA and particularly the IUA model clauses. These are much broader exclusions than the ICAEW language. They refer to similar cyber incidents, but operate more generally to exclude any third party claims that might arise as a result – without any protections where the claim alleges breach of duty in performance of professional business. So the IUA clause excludes:

his means that they operate to materially restrict cover and exclude a range of cyber-related claims which might previously have been insured. Most obviously this would include claims by clients following a data breach or other unauthorised access to their data.

These are instead liabilities that as a result of the ‘silent cyber’ review, insurers now consider should be covered under cyber insurance policies. The intent is that specific cyber insurance policies are now the core ‘home’ for all cyber-related exposures – both first party costs and third party liabilities. Indeed, the exposures discussed above are at the heart of the cover provided by those policies.

That said, there are likely to remain wrinkles as the market position works its way through. Policyholders will need to be aware of what exposures they retain. For example, the IUA clause currently seeks to exclude cover for liability arising from system failures - but that is not cover generally available in the cyber market either. We expect there to be limited scenarios where a system failure results directly in a client claim (without some intervening act bringing the claim back within scope of the PI cover) – but that cannot be ruled out.