In this modern technological world, it comes as no surprise that professional firms, who typically hold significant amounts of client money and personal data, are subject to ever-increasing cyber-risk.
This has no doubt been exacerbated post- COVID due to the necessary dependence on technology it has caused. Under traditional professional indemnity (PI) policies, cyber coverage was often neither explicitly included or excluded, leading to increased coverage disputes and often inadvertent cover for cyber risks in liability policies. During recent years, this so-called “silent cyber” has been an area of increasing focus for regulators (see our article “Silent Cyber in Professional Indemnity Insurance” here). The ICAEW has recently sought to address this uncertainty for its members and firms by amending its minimum approved wording to clarify the extent of cyber cover in policies of qualifying insurance from 1 September 2021. We summarise what the changes mean in practice.
The uncertainty in relation to cover for silent cyber is obviously problematic for insureds and insurers alike. In January 2019, the Prudential Regulatory Authority (PRA) required insurers to put in place an action plan to reduce unintended cyber exposures. Similarly, Lloyd's of London mandated that all professional indemnity and other liability policies underwritten from 1 January 2021 by its syndicates should provide clarity as to whether cyber claims/losses are included or excluded (a dispensation for professional indemnity insurers providing insurance to the regulated professions has been extended to 1 October 2021).
To meet this new challenge the Lloyd's Market Association (LMA) and the International Underwriting Association (IUA) created several model cyber endorsements which have been utilised by PI Insurers to exclude cover in relation to cyber-risks.
It is against this wider regulatory backdrop that the ICAEW recognised that some change was required to the minimum approved wording.
The changes to the ICAEW's minimum approved policy wording – effective from 1 September 2021
The changes the ICAEW have now introduced apply the cyber exclusions within the IUA model clause, but only in relation to “Relevant First Party Loss”. This is defined within the minimum terms as cover for defence costs incurred in investigating, reducing, avoiding or settling a potential Claim or circumstance (ie the Insureds' mitigation costs). We set out below a summary comparison of the clauses.
The purpose of the IUA model professional indemnity cyber endorsement clause is to materially restrict cover and exclude a range of cyber-related claims which might previously have been insured under PI policies. This would include third party claims against insureds if those claims arose directly (i.e. proximately) from a Cyber Act or Computer System failure. However, the IUA explain that reference within the clause to “direct” losses being excluded means that where the Insured has intervened, and that intervention is in fact the proximate cause of the loss, then the exclusion will not apply. As such, traditional PI claims remain covered, but cyber related losses without a direct professional negligence element are excluded. The intent being that all cyber-related exposures (both first party costs and third-party liabilities) should be insured under a specific stand-alone cyber insurance policy.
By contrast, the ICAEW have limited the exclusion's application to Relevant First Party Loss. As such, all existing cover for third party claims, ombudsman awards and defence costs are preserved, even if a cyber-related event/trigger is the dominant cause of the losses claimed by the third party.
There is clearly a necessary balance between addressing Insurers' concerns in relation to their cyber-related exposure within PI policies and the public's protection from cyber losses. In justifying the preservation of existing cover for third party claims under the minimum terms, the ICAEW pointed out:
- There is no regulatory requirement on ICAEW members or firms to hold separate cyber cover
- The terms under standalone cyber policies are highly variable
- Some third-party claims excluded under the IUA model clause would unlikely be covered by any typical standalone cyber policy
- If there was an element of exclusion for third party claims, this would undoubtably lead to a lack of clarity by members as to what types of claims are and are not covered, which would undermine the trust and confidence of the public when dealing with members
Whilst the above reasons explain the ICAEW's hesitancy to amend the terms further, Insurers will no doubt consider that the amendments do not go far enough in addressing their concerns or in fact in dealing with the certainty demanded by the PRA. Notably coverage is still provided for third party liabilities arising from IT infrastructure failure. These sorts of liabilities are out of control of the insured and unrelated to their professional activities. Such risks make it difficult for Insurers' to adequately quantify or manage their aggregate exposures. In the current hard market, this may result in participating Insurers' withdrawing or increasing premiums. There will also undoubtably be more detailed pre-inception scrutiny in relation to Insureds' potential cyber exposure and whether they have separate cyber cover in place.