Lloyd’s of London announced in 2019 that it will require all insurance policies to clearly state whether they will or will not provide affirmative cyber coverage.
The market is rolling out a phased implementation of its silent cyber mandate. The first phase, which launched on January 01, 2020, requires all Lloyd’s underwriters to confirm whether first-party property damage policies affirm or exclude cyber cover, regardless of whether they’re written on an all-risks or a named perils basis.
Phase two is launching on July 01, 2020, and will include the following classes of business: accident & health, contingency, political risks, property CAT XL, property pro rata, property risks XS, space, banker’s blanket bond /crime, credit and financial guarantee, agriculture & hail, and livestock excess of loss. Phase three will then launch on January 01, 2021, which will add professional risks and financial lines to the classes of business that need to provide clarity around cyber coverage.
“Lloyd’s has been addressing the issue of silent cyber in a very robust manner,” said Mauro Signorelli, head of international cyber at Aspen Insurance. “Lloyd’s is trying to give more clarity to the insureds. It’s going to be a lot of work because, at the moment, there’s a lot of inconsistency in the market in terms of policy endorsement, exclusion and extension.
“I think brokers are going to like these changes because there’s going to be a lot more clarity. It will be beneficial for our clients because they will know what is covered and what’s not, rather than [finding out at claim time] whether they had coverage or not. Then hopefully the cyber standalone market will stop getting such bad [rep] from people saying we don’t pay claims, when actually it wasn’t [meant to be paid under] a cyber policy.”
It’s fair to assume that insurance brokers dislike so-called silent risks. They never want to leave a client in the lurch, especially when that client placed trust in them to make sure they were adequately protected. When underwriters start to dispute whether a risk is affirmatively covered or excluded, it’s normally the brokers who are first in the firing line from frustrated end-clients.
“From a broker’s perspective, we like affirmative language, whether it comes in the form of an exclusion or in the form of affirmative coverage,” said Ruby Rai, cyber practice leader at Marsh Canada. “As an industry, that gives us more opportunity to have those holistic discussions with the client because now it’s clear [cyber] risk is not covered under property policies or casualty, aviation or marine – the list goes on. It also gives clients pause. They’re concerned over the question: ‘What coverage am I missing now that the market in general is throwing blanket exclusions for cyber risk on all of my policies (with the exception of standalone cyber)?’
“Affirmative language is great as long as it’s not used as a tool to put blanket cyber exclusions under an entire insurance portfolio and then not offer a solution on the other side. The concern among the client and broker community is definitely [whether we] have a solution for the client to deliver after excluding cyber risk across their entire insurance portfolio. I think that’s what we need to work on as more exclusions or affirmative language comes out in the market.”
One challenge when it comes to affirmatively covering or excluding cyber is the fact that cyber is both a vertical insurance industry and an underlying peril, according to Christopher Liu, head of cyber risk, financial institutions group, AIG. He pointed out that you can have fires caused by cyber, you can have employment practices claims caused by cyber, you can have D&O suits caused by cyber, and so on. This Lloyd’s mandate is an effort to categorize and corral how and when different policies will respond.
“The beauty of a large risk exposure is that a sophisticated insurance buyer ought to be looking at their total risk transfer portfolio in concert. It’s like a hand of cards. When a situation arises, you want to be able to play that policy to address that portion of the risk,” Liu commented.
“If you drive your car into your house, your homeowners’ policy will pay to repair your house and your auto policy will pay to repair the car - and nobody is complaining that neither policy is addressing the totality of the loss,” he added. “With cyber, it’s exactly the same. Your cyber risk should be contained to your cyber policy as much as is reasonable, but then you have to look at how other policies address cyber exposures. Are they covering that portion of the loss that’s particular to their insurance policy, even if it may have an underlying cyber peril?”