Due to increasing ambiguity in cover between PI and cyber policies, we are applying a new Cyber and Data exclusion endorsement to all PI covers with immediate effect. There are two PI versions (for Tech and non-Tech policies).
The details below have been taken from market guidance provided by the Lloyd’s Market Association. This is to provide you with as much clarity as we can on both the background to, and content of the clauses and whilst complicated, this hopefully achieves that.
It is important to stress that this is not intended to be an exclusion per se, rather a clarification that these eventualities were never intended to be covered by a PI policy. The Tech variant recognizes that this might not be the case where IT services (particularly such as network security) are being provided, hence the different approach.
The relevant clause(s) will now be applied to all new and renewal quotations issued under our two PI facilities from today but, where we have already indicated terms without the clause(s), the existing quotation will remain unchanged.
There has been increasing concern among insurers and reinsurers that Professional Indemnity (PI) policies overlap (sometimes significantly) with Cyber covers with this ambiguity serving to restrict willingness to underwrite both covers for the same client.
As a consequence, the International Underwriting Association in London has created a market standard clause which will now be applied to PI and Liability sections to ensure that markets can continue to underwrite each of the associated covers with confidence while providing a greater degree of risk separation clarity to policyholders.
The PI version of the endorsement starts from the principle of ensuring that traditional PI exposures remain covered whilst claims more appropriately covered elsewhere are excluded. Most commonly, these would fall under a stand-alone Cyber policy.
The Air Underwriting version provides a minor formatting variation to the standard clause to fit correctly with the current Air PI wordings. This caters for the additional third party exposures within scope of technology sector PI wordings.
The remainder of this document reviews the six elements of the clause and how they apply in practice.
The endorsement introduces new definitions for Computer System, Data and Data Protection Law. Initially, they apply solely to this endorsement but, in due course, the policy wording will be amended to fall in line. They also aim to mirror those commonly seen in the Cyber market.
Paragraph 1 – for clarity purposes, this paragraph confirms that the provisions in this Cyber endorsement over-ride other policy provisions in the event that there is competing policy language (though subject to the language in Paragraph 2). As the endorsement only relates to Cyber, it is worth noting that any provisions wholly unrelated to Cyber risks should not be over-ridden.
Paragraph 2 – this affirmation language was developed to aid contract clarity and also with the Lloyd’s requirements for its’ Managing Agents to expressly affirm or exclude cover in mind. It affirms that, unless otherwise stated in this endorsement or by other restrictions in the policy relating to the use of a Computer System, where the policy would otherwise respond there will no restrictions on recovery solely due to use of a Computer System. So, subject to the endorsement provisions, where an otherwise valid, payable PI claim is brought, this will not be limited by the fact that Computer System was incidentally used to complete the professional work. We would stress that Paragraph 2 does not in any way infer that any other cover in the underlying policy is expanded.
“We will not pay”
Clause 1 – this excludes cover for any losses and costs directly caused by, directly resulting from, or directly arising out of, a Cyber Act (which is defined), a partial or total failure of any Computer System (defined) or virus transmission. It is important to note the definition of Cyber Act only relates to unauthorised, criminal or malicious access to, operation of or use of Computer Systems and that both a) and b) are limited to Computer Systems owned or controlled by the Insured or any other party acting on behalf of the insured.
The decision to limit this exclusion to “direct” losses is important as a direct loss means there is no intervening act or opportunity for an intervening act (for example, a manual check of work) between the Cyber event and the loss. Any loss indirectly caused by, resulting from or arising out of a Cyber Act would not be excluded by this paragraph. It is also worth highlighting that losses excluded would include loss mitigation costs, though only within the strict confines of a Cyber Act.
Clause 2 – this excludes cover for any losses and costs arising from any failure or interruption of services relating to core infrastructure and utility providers.
The exclusion has been drafted narrowly to exclude (in paragraph a)) the failure of services provided to the insured (or those acting on their behalf) in respect of internet services, telecommunications and cloud computing. This does not include the hosting of hardware and software owned by the insured.
Paragraph b) excludes failures of services provided by utility companies, but only where the failure impacts a Computer System owned by the insured (or those acting on their behalf).
One important difference with Clause 1 is that this exclusion has a ‘direct or indirect’ trigger. This reflects the targeted nature of the exclusion, designed to exclude cover for systemic, non- PI risks these services apply to. This fits broadly with the overall intent to provide for PI related exposures and not wider system failure, particular of the potentially systemic nature envisaged in the services noted in the paragraph.
Clause 3 – breaches of data protection legislation (defined) are subject to a standalone exclusion. These are separated from Clause 1 because the intention is that Clause 1 addresses the cause of loss but Clause 3 addresses the cause of action. It is not the intention that claims in tort or contract are captured under Clause 3. In most circumstances, claimed amounts where the cause of action is for breaches of such legislation should be covered by a stand-alone Cyber policy. One caveat to the exclusion is that it applies only to breaches of legislation by the insured or any other party acting on their behalf.
Clause 4 – this confirms that cover otherwise provided for reconstituting or recovering lost or damaged documents owned or controlled by the insured on any party acting on their behalf shall not apply to Data (which is defined). In the Data context, these costs are generally picked up in the Cyber insurance market. In the non-data (i.e. paper) environment – architects paper records, for example – this would remain covered, if provided for in the underlying policy.
As with anything new, please do get in touch if you want to discuss this clause or require advice on any aspect of these new cover arrangements .