Skip to main content

Podcast: Silent cyber

Summary

In this podcast on silent cyber, we highlight the difficult exercise primary layer insurers face in satisfying the tension between meeting the regulator's minimum terms and clarifying just what cyber loss is catered for under a standard solicitors' professional indemnity policy.

 

Transcript

Mickaela Fox: Hello, my name is Mickaela Fox. I am a Partner in the professional indemnity team at Weightmans, specialising in solicitors' professional indemnity, the mainstay of my work being defence and coverage instructions for insurers who provide primary layer cover for the solicitors.

Mickaela: This is a short podcast today on silent cyber, highlighting the difficult exercise primary layer insurers face satisfying the tension between meeting the regulator's minimum terms and clarifying just what cyber loss is catered for under a standard solicitors professional indemnity policy.

Mickaela: I want to start by explaining what we mean by the phrase silent cyber and why it is problematic.

Mickaela: ‘Silent cyber’ is the term used to describe potential cyber exposures within traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included.

Mickaela: This results in uncertainty and ambiguity in the cover provided, which has a number of consequences.

Mickaela: Firstly, with cyber-crime continuing to rise, we have not seen the uptake in standalone cyber policies one might have expected. This is in part due to businesses being over-reliant on their traditional policies for cover in the event of a cyber-attack.

Mickaela: Secondly, a lack of clarity in the cover provided leads to disputes between policyholders and their insurers, with the former invariably arguing for the broader more generous interpretation of the policy wording and the latter doing the opposite.

Mickaela: Thirdly, there is the inevitable dissatisfaction as one party feels cheated because the outcome did not, in its mind, match the bargain it struck. For insurers, that means covering losses that they had not fully assessed and priced for, which is not sustainable in the long term. For the insured, this may mean losses that are so significant their business is no longer viable.

Mickaela: It was the Prudential Regulatory Authority (in January 2019) and then Lloyd’s (in July 2019) that started to put into action plans to reduce those unintended consequences.

Mickaela: Lloyd's mandated that all policies underwritten by Lloyd’s syndicates should provide clarity regarding cyber coverage by either excluding it, or providing affirmative coverage.

Mickaela: Company markets followed, both for consistency (as many also operate as a Lloyd’s syndicate) and driven by comments from regulators.

Mickaela: It is the third phase of the changes introduced by Lloyd's that began on 1 January this year that include PII and other liability policies. However, progress to date has been far from plain sailing.

Mickaela: To assist the market, Lloyd's Market Association (the LMA) and the International Underwriting Association (the IUA) have worked together to produce model clauses and these clauses have been adopted in some PI and D&O policies.

Mickaela: In late January 2019, the IUA’s Professional Indemnity Forum created a working group of committee members to look at how cyber risks are treated in the professional indemnity market and the degree of overlap with traditional, standalone cyber insurance products and any typical gaps.

Mickaela: Part of the committee’s brief was to consider whether a model policy provision could be drafted for use in the professional indemnity market.

Mickaela: This involved seeking feedback from professional indemnity and cyber markets as to where claims for cyber losses should ultimately lie.

Mickaela: The upshot was a model endorsement clause. The aim of the clause was to ensure that what are considered to be standard professional indemnity exposures remain covered by the PI policy with cyber claims excluded, to be picked up elsewhere i.e. under a standalone cyber policy.

Mickaela: However, there was never going to be a one size fits all solution to the problem that is silent cyber and solicitors' professional indemnity cover throws up some fairly unique issues.

Mickaela: Earlier this year, the SRA issued its consultation paper on silent cyber setting out what are undeniable laudable objectives.

Mickaela: These include to provide absolute clarity for law firms, insurers and consumers on the cover provided under a minimum terms solicitors policy without altering the scope of protection provided by the SRA’s PII arrangements.

Mickaela: In other words, maintaining the status quo in terms of the scope of cover provided by the minimum terms and explaining what that is in terms of losses that arise from a cyber act or cyber event.

Mickaela: Over the years the profession has been hit hard by cybercriminals and it remains a key target because, in some cases, as well as the large sums of money held by the firms, they also hold sensitive, confidential information that they are custodians of and there are no signs of that waning.

Mickaela: It must be right therefore that insureds, insurers and consumers of legal services know exactly where they stand in terms of what losses are and are not covered and few would argue with that.

Mickaela: This issue is not the why, it’s the how. How to go about clarifying what is covered without the risk of diluting or concentrating the cover that is currently afforded?

Mickaela: According to the consultation, the SRA’s plan was to add a clause into the minimum terms and conditions that set out clearly what is and what is not covered in the event of a firm being subject to a cyber-attack or cyber event.

Mickaela: However, those of you that have considered the proposed wording of that clause which appears in the consultation paper might be justifiably of the view that the SRA have somewhat missed the mark.

Mickaela: The SRA did consider the IUA model clause for professional indemnity policies but, rightly in my view, rejected it as unsuitable.

Mickaela: This is what the SRA had to say about that clause:

Mickaela reads the statement from the SRA: We are aware that the IUA has published an endorsement specifically for PII policies that it considers would provide affirmative cover for cyber risks. Our view is that this endorsement — which we know some insurers and Lloyd's syndicates have accepted as a model clause — does not reflect the scope of cover for consumers as set out in our PII arrangements.

Mickaela reads the statement from the SRA: The IUA clause reduces consumer protection, so that for example, a loss of client money caused by a cyber-attack might not be covered. The IUA clause would not therefore be appropriate and we are not proposing to adopt it.

Mickaela: But what does the alternative look like? Solicitors' PI arrangements create a real challenge for insurers because of the broad civil liability basis of the solicitor's policy.

Mickaela: Those of you familiar with the minimum terms will know that cover is provided for civil liability to the extent that it arises from private legal practice in connection with the insured firm's practice for
claims first made during the period of insurance; or arising from circumstances first notified during the period of insurance.

Mickaela: As I have said, a very broad base.

Mickaela: Further, the definition of claim includes an obligation on the insured to remedy a breach of the SRA Accounts Rules, whether or not a claim has in fact been intimated against the practice.

Mickaela: Essentially then, cover is for third-party losses arising from the insured’s professional activities which would capture some losses arising from a cyber attack or cyber event but by no means all of those losses.

Mickaela: So, some but not all. How does one cater for that?

Mickaela: A prescriptive list of what is covered and what is not is clearly undesirable, as it would be unwieldly and inflexible.

Mickaela: Cover is not provided under a solicitor Minimum Terms policy for first party loss so that might be a sound starting point, albeit there is scope within the definition of ‘Defence costs’ for costs expended by the insured in mitigation of a claim that would be covered if those costs are necessary and reasonable and incurred with insurer's express consent.

Mickaela: So far, so confusing but the meeting the objective of absolute clarity in the context of solicitors PI policy is not an easy ask. Anything too restrictive, i.e. a blanket exclusion of say losses resulting from a cyber attack would be too restrictive, would be a breach of the minimum terms and would therefore be of no effect.

Mickaela: So let's look at the solution advocated by the SRA, and it was, and I quote, ‘adding a clause to the minimum terms and conditions that makes it explicit that the consumer protection under our PII arrangements equally applies if the loss is because of a cyber-attack or a cyber event’.

Mickaela: However, the SRA are or were as at the date of the consultation, essentially proposing the addition of an exclusion clause that excludes all losses arising from a cyber act or a cyber event save those losses that are covered under the policy.

Mickaela: Granted this avoids the difficulty of excluding cover and writing it back in or excluding cover for some but not all losses but it doesn't really silence the objectors, it doesn't really meet the brief.

Mickaela: Put another way, Will the insured or a claimant be any the wiser about what is and what is not covered by way of losses under a Solicitors' Minimum Terms Policy if we add in the clause proposed by the SRA? I suggest not.

Mickaela: Also, purists would say that there is no need to exclude cover that does not fall within the scope of the policy in any event.

Mickaela: So where did we get to? Well, the SRA has yet to set out its stall following the closure of the consultation but as we near the end of what is still the most popular period for solicitors' PI renewal, insurers are coming under increasing pressure to comply with Lloyds mandate and revise the wording of their solicitors PI policies.

Mickaela: Some have jumped already but I suspect they may rue the day they did that. Others are sitting tight waiting to hear further from the SRA.

Mickaela: We will simply have to wait and see what the regulator does next. My sense is that it is unlikely to tackle the undesirable exercise of writing a more prescriptive clause for the cover afforded by the minimum terms for cyber losses and will land on a wording similar to that found in the consultation paper.

Mickaela: Now, thank you all for listening, and please watch this space for further developments.