We spotted this latest blog post by David Powell at Lloyd’s, which looks at the new cyber risk landscape that is emerging and how underwriters can keep pace with regulation, and the fluid nature of cyber attacks, data breaches and so on.
Here’s an extract, with a link below to the original piece.
Since the publication of Lloyd’s Bulletin Y5258 in July we have been working hard to produce model policy language to help our members (the managing agents at Lloyd’s) to address the evolving nature of cyber risks and exposures. The LMA supports the policy ambitions of the PRA and Lloyd’s in this area; clarity of coverage for the benefit of clients, brokers and insurers.
The LMA has already published several model cyber clauses including exclusions and exclusions with write-backs, and others are currently in development. Adding affirmative policy language is a different matter and presents significant difficulties, which is why we continue to engage with managing agents and Lloyd’s to try and ensure there are no unintended consequences arising from the Lloyd’s requirements. The problems that could arise from a rush to affirmation, without careful consideration, are potentially severe.
Lloyd’s has confirmed that affirmative policy language will be required on Lloyd’s policies written on an “all-risks” basis, where cyber risks are not excluded. The non-marine lines fall into my remit and discussions with underwriters have already started; how do they want to deal with this issue?
Underwriters’ first concern is to avoid unintentionally broadening the cover, especially regarding the risk of new affirmative language negating important exclusions. This is going to be tricky. “All risks” policies don’t specify individual perils – that’s the point. Any peril that causes an insured loss is covered, so there is a good argument that these policies do not require specific affirmative language, as coverage for all perils is already provided.
However, we can add policy language to try and confirm that a loss arising from a cyber event that triggered a covered peril (e.g. a software error that caused a machine to explode, causing a fire) would be payable. But what happens when the cyber event that is now covered takes the form of (for example) a terrorist act, which is not covered because it is specifically excluded in a subsequent section of the policy? This is a critical issue as many non-marine lines of business exclude key risks such as war, terrorism and nuclear & radioactive contamination. There is no intention to give such coverage, whether the loss results from a cyber trigger or by more conventional means.
Read the rest of this blog post here.