Greater transparency welcomed but many businesses face extra bills for cyber insurance add-ons compliance firm says

Many businesses could be left under-insured and exposed to cyber attacks as redrafted property policies are increasingly excluding IT-related losses.

It follows the Bank of England’s Prudential Regulation Authority (PRA) and Lloyd’s of London asked insurers to give more detail about cyber-related losses covered by their normal policies. The aim was to improve transparency in the industry.  

The PRA was also concerned that businesses were too reliant on IT and data systems could mean insurers did no hold enough cash to cover large losses.

But it has seen thousands of businesses forced to face extra bills for cyber insurance add-ons, firms are instead paying separately for policies to guard against IT outages.  

Greater transparency 

Last year the PRA wrote to insurance bosses telling them to “reduce the unintended exposure to non-affirmative cyber risk”.

The PRA said that previously insurers could address their exposure to silent or “non-affirmative” cyber risk by using “robust” wording to exclude these losses, attaching specific limits on cover or raising premiums to reflect the added risk.

Insurance compliance firm Mactavish welcomed attempts to bring greater transparency to the insurance market, but said that the redrafting of many commercial property policies is leaving clients under-insured and exposed to a range of broadly “tech-related” risks which they had believed would be covered.

Mactavish says that this black and white approach fails to appreciate the integral role technology plays in almost every business today, and the cyber insurance market lacks sufficient capacity to write large-scale property risks.

Rob Smart, technical director at Mactavish said his concern was that the various exclusion clauses were too broad and are therefore being used indiscriminately which unfortunately more cover than was intended that is not being discussed properly.

He told Insurance Times: “If the intention is to take out cyber where [it] should be sitting in a standalone policy, the unfortunate effect,  particularly if they are being used in an indiscriminate way, is that it will take out a lot of traditional cover as well in a way that people won’t realise. That was our key concern.”

This means that some commercial property insurance policies will not cover for losses that arise from traditional types of property loss such as fire that took place through the medium of IT. 

A good thing 

Graeme Newman, chief innovation officer at cyber underwriter CFC said that the push for greater transparency will be a good thing for the industry. 

”I don’t think it’s about removing it is about clarifying, insurers must be clear on what they are intending to cover and what they are not intending to cover.

”Many property forms were drafted decades ago, and the drafting hasn’t moved on that much. There is no rule that prevents a property insurer from covering a cyber event, the rule is simply saying if you are going to do that, make it clear.”

It comes off the back of some major ransomware attacks, such as that which afflicted food giant Mondelez in 2017. The attack left 1,700 of its servers and 24,000 laptops rendered ’permanently dysfunctional’. In that case its insurer Zurich refused to pay out because the claim was made on a property, not a cyber policy. 

There are theoretical gaps in coverage for an electrical or cyber event that gives rise to physical damage, but Newman said this is not a new problem. 

This latest position can only make things clearer. 

Cyber is an asset-based policy like property insurance, not peril-based. This means that it covers ’intangible assets’ such as the reputation of the brand, or data. 

For example in a plane crash, where only parts of the plane were recovered and there is speculation that it could have been down to a cyber attack. 

Newman, added: “If the plane has gone, that is what triggers the payout on the whole policy, not what caused the plane crash.”

He reiterated that UK businesses are far more vulnerable to intangible risks, “this is what the cyber market was set up to tackle”. 

Under-insurance 

But this change could mean that some SMEs are under-insured for loss events that they think they are insured for, Smart said. 

He gave the following example of a reworded commercial property insurance policy that the firm reviewed, it excluded all losses “indirectly contributed to by” IT or data failure, even “regardless of any other cause or event contributing” to a loss.

Smart said that this wording removes the entire loss if it includes fire or flood caused through the means of IT which is not what was intended.

A Lloyd’s spokesperson said: “We believe that Lloyd’s policyholders, brokers and syndicates will all benefit from greater clarity of coverage for losses caused by a cyber event.

”Customers will benefit because they will understand exactly how their policy responds to a loss arising from a cyber event, brokers will be able to offer better advice to their customers, and syndicates will be able to accurately assess, price and quantify their exposures.

“Lloyd’s has therefore asked syndicates to provide more detail about the cover they provide for cyber-related losses, at the same time we are actively encouraging our market to innovate to provide new solutions to meet customers’ needs.”

From 1 January 2020 Lloyd’s underwriters were required to clarify whether first-party property damage policies affirm or exclude cyber cover.

What can brokers do?

But brokers have a key role to play here, “they can look very carefully at policy wording, why exclusions are being used and what the impact [is],” he said.

Smart reiterated that this needs to be done carefully as the danger for SMEs is that if they have cyber exclusions it’s putting huge holes in their cover that they are not aware of, and if they are buying cyber as a standalone it probably isn’t filling those gaps.

Ultimately Smart said that this change needs to be driven by buyers, who also need to negotiate the risks that need to be covered.

Smart said it could happen in other policies such as marine and crime as there is overlap.

“[For] some of the new wording we are seeing [it] goes far beyond the intent of the Lloyd’s mandate, and it means clients are no longer covered in areas such as loss of data from flooding or a fire for example - even if it’s not related to a cyber-attack.

“Clients are being forced to take out separate cyber insurance to cover these excluded risks, but often this cannot meet their needs either without significant alterations,” Smart said. 

Meanwhile a similar issue has arisen in marine insurance that covers ships, cargo and terminals.