In July of last year Lloyd’s issued a mandate designed to bring clarity to technology exposures covered under non-cyber specific policies.
Until this year, property damage and business interruption policies (as well as Crime, Professional Indemnity and others) often contained implicit coverage for technology related losses. In practice, whether the policies would pay out for those losses was unclear – indeed, it was often only at the point at which a claim was made that this issue would be addressed. The inevitable result has been contested claims such as the high-profile dispute between Mondelez and its insurer, Zurich, over its $100m loss that occurred in 2017 as part of the devastating NotPetya hack which also affected other global giants Maersk, Fedex, Merck, Saint-Gobain and Reckitt-Benckiser.
The new mandate attempts to bring transparency to this ever-growing and fast evolving risk area. The crucial change is that insurers must now specify whether or not cyber exposures are included at policy inception – this is defined as ‘affirmative cyber risk’.
As ever, Mactavish welcomes this drive towards greater clarity from insurers. However, as with any significant regulatory change, the impact can be considerable and needs to be properly understood by all organisations placing insurance in the London or UK market.
So far, so good. However, from what we have seen so far, a number of insurers have taken the opportunity to make it clear that pure cyber losses are explicitly excluded from policies. While this may be no bad thing, we have two overriding concerns. The first is that clients may not be made fully aware that this change has taken place, leaving them without coverage which they thought was in place. The second, and harder to fix concern is that many of the wording changes we have seen introduced go far beyond the elimination of ‘pure’ cyber risks and would also exclude many ‘traditional’ losses.
In some cases, exclusions have been drafted in such a way that any technological damage is deemed to fall outside of the policy. In some of the template exclusions seen by Mactavish, all losses even indirectly contributed to by IT or data failure are explicitly not covered, even irrespective of other causes of loss. In the modern world, in which every aspect of business has been – or is being – connected via digitisation, this is an especially sweeping change which in many cases removes far more cover than is available within cyber-specific policies.
What can you do to understand how this affects your organisation?
From the conversations we have with insurance buyers it is fair to say that this mandate has not been communicated sufficiently by brokers. Clients have been horrified to learn of the significance of this change as it could apply to their own key loss scenarios and are now having to very quickly reconsider their whole approach to cyber and technology risk transfer.
As we’ve previously noted, the cyber insurance market, although meeting a vital need, remains relatively immature, untested and offers limited capacity on a sometimes overly standardised basis. As companies rush to buy standalone cyber policies the market will come under greater stress, further exacerbating the hard market conditions that are becoming prevalent in other lines.
It’s essential that you take action well ahead of your 2020 renewal to assess the impact of cyber changes on the cover you expect across your insurance programme, and how the insurers you are marketing your risks to have reacted to the silent cyber mandate. Crucially, you should work back from your risk analysis outputs to determine exactly where your technology related exposures lie, which of those fit within existing policies and which within cyber-specific cover.
If your broker is unaware of how insurers are responding to the silent cyber mandate – or cannot be definitive about the effects of new exclusions – you may want to consider seeking an independent opinion. Our team has developed a specialism in precisely this area and has deep expertise in auditing policy wordings to define any gaps – as well as tailoring cyber cover to meet clients’ individual needs. If you have concerns about how the silent cyber mandate could impact your business we’d be very happy to discuss them with you. Similarly, if you are now considering purchasing a cyber specific policy for the first time – or are looking to add additional coverage to your current policy – the Mactavish team can help ensure that you buy the right product at the right price.
Rob Smart
Technical Director