'Silent Cyber' and Solicitors’ PII – What you need to know
Insurers are clarifying their position on 'silent cyber' in professional indemnity insurance (PII) policies. This is likely to result in reduced cover in PII policies for cyber- related exposures. It is important to understand how this will affect you and whether you will need separate cyber cover.
What is ‘Silent Cyber’?
‘Silent cyber’ is the term used for potential cyber exposures in traditional property or liability policies, where cyber coverage is neither explicitly excluded nor clearly included. This can result in ambiguous coverage, an increased risk of disputes, and cover that doesn’t match policyholder expectations.
What are insurers doing about it?
Lloyd’s of London, insurers and regulators are concerned that underwriting and risk pricing may not accurately reflect the cyber risks for which cover is ‘silently’ provided. The Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) have made insurers put into action plans to reduce those ‘silent’ exposures - either by excluding them, or providing affirmative cover.
The changes have been introduced in a number of phases, and the phase covering PII and other liability policies commenced on 1 January 2021.
How has that been applied in practice?
The process is likely to be ongoing for some time, but given the mandate and the short timeline, most insurers have initially moved to exclude rather than to affirm cover.
Does this apply to the Minimum Terms and Conditions (MTCs) for solicitors’ PII?
Not yet. The SRA is currently considering the issue and reviewing the MTCs and drafting options that meet the requirements of the insurance market, but do not reduce consumer protection – particularly cover for losses arising from breaches of the SRA Accounts Rules and third party claims. They have indicated in a communication to Participating Insurers that they hope to be in a position to consult on any proposed changes to the MTCs in March/April 2021.
Following the consultation, any proposed changes will be subject to approval by the SRA Board and the Legal Services Board. It is anticipated that the change would then be effective from renewal, an extension of the policy or from a date falling 2 months after the variation is notified. It will therefore be important to ensure that you remain informed about the progress of this issue.
The SRA has also advised Participating Insurers that pending any approved changes to the MTC, they would not expect insurers to add any silent cyber exclusions to compulsory PII policies that could potentially conflict with the MTCs. If they do, the MTCs will prevail.
Does this apply to excess layers for solicitors’ PII?
If you have excess layer cover above your compulsory £2m or £3m MTC cover, you will need to check with your broker to understand what the position is when you are negotiating your next renewal.
Given the time that the SRA will require to address this issue, Lloyd’s has indicated that its requirement for “silent cyber” to be addressed on excess layers for solicitors’ PII can be deferred until 1 October 2021. However, while that dispensation has been allowed, it is currently unclear whether it will be adopted by Lloyd’s syndicates and whether company markets will also take the same position.
What does this mean for me?
- You need to remain informed regarding the SRA’s proposed consultation and any changes to the MTCs that could affect your cover during the policy period.
- As advised above, you will need to discuss excess layer cover with your broker at your next renewal to determine what the position is at that time.
We will do our best to avoid cyber exclusions being applied (and to obtain affirmative cover), but the regulatory mandate position and hard market conditions mean that PII insurers may ultimately insist on exclusions.
If any exclusions to your cover are proposed, you will need to examine the wording carefully. The exclusions that are currently in the market vary in form and breadth, but as a rough guide you should expect them to apply to any claims (or other coverage) resulting or arising from:
- security breach or other unauthorised or malicious access to or use of your computer network or data (including denial of service attacks, computer viruses, ransomware and similar);
- a breach of data protection law or other privacy breach; and
- an unplanned or unintended system failure involving your computer network or access to data stored on your computer network.
You should also assess the extent to which you already have cover for cyber liabilities in place. In many cases, a standalone cyber policy may be the best solution to ensure coverage and fill gaps resulting from a silent cyber exclusion. However, cyber policies differ in the scope of cover they provide. It is therefore important that you carefully review the policy wording so that you can understand what is covered.
Written by Jenny Screech LLB (Hons)
Legal Consultant, Howden PII