The ironically entitled ‘silent cyber’ is making a lot of noise in the legal sector of late. Vanessa Cathie, Vice President of Global Cyber & Technology at Lockton Companies, explains what it is and if firms should be worried about it.
What is ‘silent cyber’?
Cyber risk is everywhere and as such threatens many lines of insurance. Elements of cyber cover have traditionally been found under policies for property, kidnap and ransom, as well as professional indemnity insurance (PII). However, the threat is not always affirmatively addressed within these policies. Insurers in non-cyber markets have not always fully considered the implications of cyber exposures, nor have they tackled the potential aggregation over their various types of policies.
This ‘silence’ in non-cyber policies does not necessarily mean cover is not there – just that it is not affirmative and coverage cannot be guaranteed, potentially leading to both coverage and claim reporting issues.
The growing size and sophistication of the standalone cyber market and increasing cyber attacks have been additional factors prompting a re-evaluation of cyber-specific risks over various lines of insurance.
Regulatory scrutiny by the Prudential Regulation Authority (PRA) into these risks, and the PRA’s requirement that insurers suitably identify, assess and manage their cyber liabilities, were factors in Lloyd’s issuing a mandate in July 2019 requiring Lloyd’s underwriters either to affirm or exclude cyber cover in various lines of insurance. Cyber cover should no longer remain ‘silent’.
Lloyd’s published a phased roll-out of the dates by which certain classes of insurance must comply. The rolling programmes began with first-party property damage on 1 January 2020 and it continues.
The roll-out applied to professional indemnity insurance policies as from 1 January this year, causing a flurry of activity. Essentially, PII policies should have ‘compliant’ provisions in place for all policies commencing on or after 1 January 2021 so that there is clarification if cyber cover is excluded or affirmed.
What does this mean for firms?
The insurance markets are responding to the Lloyd’s mandate in a variety of ways. Two leading insurance market bodies, the London Market Association (LMA) and International Underwriting Association (IUA), have drafted cyber clauses that many insurers are applying to PII policies. Although the choice of one clause over another does vary from insurer to insurer, the typical net effect is that cyber cover for some third-party liability arising from cyber-related triggers is now being excluded.
While there is no consistent response at this stage, one thing is clear: for many insureds, a professional indemnity policy will not renew as expiring. However, for law firms the situation is a little more complex.
The Solicitors Regulation Authority’s (SRA’s) Minimum Terms and Conditions (MTCs) will not necessarily entertain a cyber exclusion: to do so may be contrary to the broad ‘civil liability’ basis upon which the MTCs are based. Consequently, the SRA is considering adding a clause to the MTCs such that client losses caused by a cyber attack should be affirmed.
This change would bring the wording in line with the Lloyd’s mandate but rather than excluding cover, (as the LMA and IUA clauses seek to do), the SRA approach would clarify cover for cyber-related losses, providing assurances for law firms that cover remains, without altering the scope of the current level of consumer protection.
Until such time as the SRA has completed its review, the Lloyd’s mandate will not impact on the MTCs – at least to the extent of compulsory cover. Cover above the compulsory limit will likely be subject to a cyber endorsement upon renewal.
Analysing the cyber endorsement
If faced with a cyber endorsement, a close analysis of its implication will be critical. Consider the following:
1. Does it contravene the MTCs? Does it seek to exclude cover where the MTCs disallow this?
2. If the endorsement is affirmative in nature, is it affirming all cover or does it remain silent on some?
3. Are there new gaps in cover?
4. Does any gap in cover necessitate the purchase of a standalone cyber policy? The purchase of cyber insurance may no longer be deemed a ‘discretionary spend’.
5. If the law firm has existing cyber cover, is a reassessment of limits necessary?
Every scenario is different and each situation should be assessed on its facts. There are subtleties associated with many of the cyber endorsements which must be understood in order to make fully informed decisions on cyber risk. It is possible that certain coverages currently available will no longer be available.
The renewal process will take some time and early engagement with your broker is recommended.