Lloyd's of London has implemented measures to make sure that syndicates remove 'silent' cyber form all classes of business. The mandate is not to exclude cyber risks from policies, but to make sure that policies are affirmative in either the inclusion or exclusion of cyber triggers, reducing the risk for misinterpretation and consequential disputes, which then reflect negatively on the insurance industry.
Since 1 January 2020 Lloyd's syndicates have started applying cyber exclusions to property programmes, and are applying similar exclusions to other classes of business such as General Liability, Aviation and Political Risk.
From a property perspective, Lloyd's syndicates and insurance companies have frequently started applying the LMA 5400 exclusionary language.
This language effectively excludes any property damage and ensuing business interruption that is caused by a Cyber Act. Cyber Act is defined as “an unauthorised, malicious or criminal
act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any
Computer System”. In simple words, any malicious attack or hack would trigger this exclusion.
Lloyd's insurers can sometimes offer a “carve-back” for some property loss or damage but this is limited to damage caused only by a fire or explosion, and which is the result of nonmalicious incident, and availability will vary based on insurer's appetite and class of insured.
Building Ownership and Responsibilities
There are other crucial factors for professional services firms to consider within the context of property damage.
Generally speaking, professional services firms tend not to own the buildings in which they operate, leasing them from landlords.
Another complicating factor is that many commercial buildings are maintained by building managers.
It is vital to consider and understand which party is responsible for the insurance, maintenance and security of the building itself, as well as the building's fixtures and fittings, contents, operational systems, fire suppression systems, and networks.
The terms of the commercial lease agreements should outline the contractual obligations in full but responsibility will vary depending upon the terms of the lease.
The Building
With most leases, the landlord arranges the insurance for the building itself (often passing on some or all costs to the tenant). The landlord would typically also insure against loss of rent
(triggered where the premises are damaged and unable to be used) and likely pass on the cost.
A tenant might wish to arrange additional insurance for any of their losses from business interruption caused by problems with the building.
Fixture and Fittings
Fixtures and fittings in a leased property deserve particular mention as the ownership, maintenance and insurance responsibilities can be fact-specific depending upon the nature
of the fixtures and fittings themselves. Ideally the lease should state in clear terms the parties' responsibilities (although in practice this is not always the case).
Building Operating Systems
Operating systems in buildings are evolving with the digital transformation of the building design process. Systems may include fire protection management, processes controlling the
building's environment, access control or security.
Again, the responsibilities for maintenance, security and insurance of these systems can vary and ought to be understood and considered at the outset.
The Contents
Typically, anything that the tenant owns will be covered under the tenant's own business insurance policy.
Where to from here?
It is critical to identify possible property damage and who is responsible for the insurance of that damage. It will then be necessary to identify gaps in coverage, including those gaps resulting from cyber exclusions. The flow-chart which you can download by clicking the link to the right of this page should assist in that process.
Putting This in Context
The following are possible physical damage scenarios within the context of a professional services tenancy, together with the consequent insurance responses.
Each firm ought to have completed a full analysis of its legal and commercial responsibilities regarding the insuring of the various property components, including the building itself, the operating systems, and fixture and fixtures and contents, where appropriate.
As identified above, this will be largely determined by ownership of the property in question, but potentially modified by contract.
1. Firm A is a tenant. Firm A's network is intruded by perpetrators. Through remote access, the hackers overheat the computer hardware in the server room, causing the equipment to catch fire. The fire spreads around the building and destroys all Firm A's contents.
In this case, if the applicable policy included the LMA5400 exclusion, the policy would not
respond to coverage for the property damage. This is as a result of the damage being caused
by a malicious act; a Cyber Act which triggers the LMA5400 exclusion.
2. Firm B is a professional services firm which owns its own building. The firm suffers a system shutdown, caused by an error made by an employee's 'fat finger'. The shutdown causes the server room to overheat and catch fire. The building burns down as a consequence.
The property policy should cover this as a carve-back to the operation of LMA5400 as the damage was caused by a fire emanating from a cyber incident that did not involve a
malicious act.
3. Firm C suffers a cyber-attack which infiltrates an aspect of the building's operational technology which is the responsibility of Firm C. The perpetrators set off the sprinklers on one floor, effectively destroying all computer equipment and furniture.
A property policy with an LMA5400 exclusion would not cover this damage, it being the
result of a malicious act.
4. Firm C suffers another incident a year later when an employee accidentally, through
inadvertent use of the computer network, re-programmes the sprinkler system, causing further water damage to Firm C's new furniture and computer equipment.
While the action causing the incident was not malicious, the exclusion applies as the loss is caused by water damage, not from fire of explosion. Cover would be declined.
Summary
It is important to identify property damage risks, and the responsibilities for those risks, before any business commences operations on site.
The cyber insurance market has evolved substantially, especially in light of the Lloyd's mandate. There are various solutions in the market to provide effective cover for that which is excluded under property policies.
There are capacity limits within the cyber market which currently sit around $200M (although greater capacity may be available within the energy and power sectors). While the cyber capacity may not match limits available in the property market, there is some cover nonetheless.
These property damage options can be offered by way of standalone cyber damage policy that effectively buys back to the property policy or as part of a traditional cyber policy.
For further details on the available solutions, please contact us using the contact details at the top of this page.