Background

The market for cyber insurance is a growing one. The global market was worth $7.01 billion in gross written premiums in 2020 and this is expected to nearly triple by 2025, due in no small part to the rise in remote working enforced by the COVID-19 pandemic. These policies typically provide coverage for reputational and financial loss resulting from cyber-attacks and data breaches and are known as “affirmative” cyber cover.

However, many companies only have “non-affirmative”, or “silent” cyber cover. This arises out of traditional professional indemnity or D&O policies, whereby cover may be provided for such “cyber risks” but it is not made expressly clear in the policy wordings. This uncertainty has created disputes between policyholders and insurers as to whether a particular data breach or cyber harm can be covered, the most high-profile example being Mondelez v Zurich.

As a result of the 2017 NotPetya global cybersecurity breach, Mondelez suffered losses of over $100 million. Naturally, they submitted an insurance claim, under their property insurance policy, which crucially did not have terms expressly covering losses from cyber-attacks. The insurer, Zurich Insurance, has sought to rely upon a ‘war’ exclusion clause (given it is alleged by multiple national crime agencies that Russian agents were responsible for the NotPetya attack) to decline cover. Mondelez is currently suing Zurich in the Illinois court.

The magnitude of losses that Mondelez has suffered is not atypical: an IBM report found that for breaches ranging from 2,000 to 101,000 records, the average total cost of a data breach in the UK was £3.42 million. We all know about the reputational and financial losses suffered by British Airways following its 2018 data breach. This further emphasises the importance of insurers and policyholders knowing with certainty what is and isn’t covered under their professional indemnity policies.

UK Regulatory Response

Regulators in the UK insurance industry have sought to address this gap in coverage. In 2019, The Prudential Regulatory Authority (PRA) recommended that insurers should take steps to reduce the exposure caused by silent cyber risk. Professional indemnity policies were highlighted as being at high risk for exposure to cyber breaches given the sensitive data and personal information that law firms and financial service companies hold for their clients. This was followed by Lloyd’s who in July 2019 directed that its members would have to clearly exclude or affirmatively include cyber cover in their policies.

In May this year, the Solicitors Regulation Authority (SRA) published their consultation on affirmative cyber cover in professional indemnity policies. They have now proposed an additional clause to the Minimum Terms and Conditions of Professional Indemnity Insurance (MTCs for Solicitors) to explicitly include cover for cyber-attacks/events. Such coverage would be equal in application to any other claim for civil liability under the PII Policy. However, the SRA’s proposal also excludes cover for first-party losses, meaning losses to the policyholder will not be compensated but claims brought against the policyholder by third parties will be. The proposal has been submitted to the Legal Services Board (LSB) for final approval. The SRA has indicated that if agreed, the new clause should be in place for any insurance renewals from early next year.

The SRA’s proposal:

Exclusions 

The insurance must not exclude or limit the liability of the insurer except to the extent that any claim or related defence costs arise from the matters set out in this clause 6.

Cyber, Infrastructure and Data Protection Law

The insurance may exclude, by way of an exclusion or endorsement, the liability of the insurer to indemnify any insured in respect of, or in any way in connection with:

  1. a cyber act
  2. a partial or total failure of any computer system
  3. the receipt or transmission of malware, malicious code or similar by the insured or any other party acting on behalf of the insured
  4. the failure or interruption of services relating to core infrastructure
  5. a breach of Data Protection Law

provided that any such exclusion or endorsement does not exclude or limit any liability of the insurer to indemnify any insured against:

  1. civil liability referred to in clause 1.1 (including the obligation to remedy a breach of the SRA Accounts Rules as described in the definition of claim )
  2. defence costs referred to in clause 1.2
  3. any award by a regulatory authority referred to in clause 1.4

In addition, any such exclusion or endorsement should not exclude or limit any liability of the insurer to indemnify any insured against matters referred to at (i) (ii) and (iii) above in circumstances where automated technology has been utilised.”

What now?

Should the SRA’s application to the LSB be successful, existing solicitors’ professional indemnity policies will need to be examined closely to ensure they comply with the new MTCs. Of particular concern may be the provision regarding “automated technology” as the term has been purposefully left undefined by the SRA. The SRA anticipates that the way that parties and courts will interpret this phrase will evolve as technology progresses over time. Meanwhile, Insurers can still offer standalone cyber insurance policies to law firms who want first-party cover, and the SRA believes that this proposal will provide better clarity for firms in assessing whether they should purchase additional cyber cover.

There are also concerns about the impact of the additional cover on insurance premiums. The SRA has suggested that the premiums will not be directly altered by the proposed changes, as “claims for civil liability caused by a cyber-attack have always been considered to be in the scope of an MTC compliant PII policy and reflected in any premium that a law firm pays.” However, it could be argued that any additional clauses to the MTCs will have the potential to increase costs.

In the meantime, some insurers have been getting ahead of the game and have clarified the terms of their policies.

Watch this space!

For any further information or to discuss the subject matter of this article, please contact John Bradley (Partner) or Lawrence Lee (Paralegal) at the contact details below:

John Bradley  
Lawrence Lee                    
DD: 020 7220 4703    
DD: 020 7220 4721
E: john.bradley@rcbllp.com
E: lawrence.lee@rcbllp.com


Reynolds Colman Bradley LLP

Date: 15 November 2021

Applicable Law: England and Wales

If you would like to speak to Paragon relating to the above or cyber cover generally, please contact:

Piers Winton

Ryan Senior
Senior Vice President  

Senior Vice President
Paragon International Insurance Brokers Ltd

Paragon International Insurance Brokers Ltd
M: 07787 375 378

M: 07827 575652
DD: 020 7280 8224

DD: 020 7280 8254
Email: pwinton@paragonbrokers.com

Email: rsenior@paragonbrokers.com

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

This article is intended to provide commentary and general opinion on its subject matter. It is not to be regarded and/or relied upon as a substitute for professional advice which takes account of specific circumstances and/or any changes in the law and practice. No responsibility can be accepted by the firm or the author for any loss occasioned by any person acting or refraining from acting on the basis of this document.