Back to blogs
09 June 2020 | 5-minute read
To assist our Members in meeting Lloyd’s new requirement to clarify cyber coverage in all product wordings the LMA has published a suite of model cyber risk clauses for use in the accident & health and travel insurance market. The clauses were developed by a dedicated working group reporting to our Personal Accident (PA) Committee, with support from the LMA Wordings committees. The Lloyd’s requirement will apply to new and renewing business written under the A&H risk codes from 1st July 2020, so it was imperative that model clauses were made available with plenty of time to allow discussion with brokers, coverholders, clients and reinsurers and fine-tuning of clauses to suit different wordings and products.
We were unsure how many model clauses we might need when we started this exercise, but I don’t think anyone expected twelve! We ended up with a vast list of clauses for good reasons though; personal accident, travel and health are complicated classes of business, covering consumer and commercial risks with a range of different products and coverage within the class. We also took the opportunity to review and update a commonly used market wording that excludes war, terrorism and mass destruction perils; we updated this exclusion and published consumer and commercial versions, both with LMA references for the first time. The original wording was published by Jonathan Thomas in 2005 whilst active underwriter of Creechurch Syndicate 1607, which was purchased by Canopius in 2006 (and thanks again to Canopius for permission to use the original JHA005 clause as the basis for our updated versions).
The first job was to produce a simple affirmation of coverage for routine personal accident & illness business (see LMA5415), given in many circumstances underwriters simply need to clarify that where a cyber event triggers a payable benefit that is covered under the policy, the policy will respond as per normal. A major challenge here was to ensure that whilst coverage for cyber events may be given, any claim would still be subject to the normal terms and conditions of the policy, all of which continue to apply. We decided to simply state this outright and used the following formulation “Any benefits for Bodily Injury or Illness caused by or arising out of a Cyber Act or a Cyber Incident are payable, subject to the terms, conditions, limitations and exclusions of this policy.”
To try to ensure a degree of common understanding across the market, we used some of the defined terms that had been previously developed for property clauses (e.g. LMA5400), including “Cyber Act” (a deliberate unauthorised, malicious or criminal act involving use of a “Computer System”; also a defined term) and “Cyber Incident” (including errors and omissions and accidental system failure/loss of access). These defined terms are precise and consistent with wider use in other classes, but the language is not appropriate for consumers, so we decided to produce a consumer-friendly version of the same clause (LMA5414).
The next job was to address a specific concern of underwriters relating to products where acts of terrorism were already excluded (some PA policies provide benefits for bodily injury or illness caused by acts of terrorism and some don’t). There is a clear tension between confirming cyber coverage in a generic statement and specific exclusions that could clash; for example, which provision would apply when a terrorist launches a cyber-attack that causes bodily injury? To remove any uncertainty, we decided to produce an amended definition of an act of terrorism, adding Cyber Acts committed by a terrorist. We did not have a definition of an act of terrorism in any of our model PA wordings, so we decided to review and update the JHA clause mentioned above. The revised definition means that, for policies with a terrorism exclusion, whilst coverage for a cyber event may be provided, the policy would specifically exclude a cyber event perpetrated by a terrorist. This approach mirrors the existing position under the same conditions for accidental bodily injury or illness caused by a terrorism using conventional means (i.e. this would also be excluded). We produced a consumer
version of this exclusion (LMA5418) and a commercial version (LMA5419), which also excludes a list of war and mass destruction perils.
For business that does not contain a terrorism exclusion we also developed a model clause that affirms payable benefits for bodily injury or illness caused by a Cyber Incident (i.e. accidental causes), but excludes losses due to deliberate/malicious Cyber Acts. This would limit the coverage given and protect the insurer from malicious cyber exposures. (See LMA5416 for the consumer version and LMA5417 for the commercial version).
So far so good, but the above clauses all use lead-in language intended for personal accident and illness coverage, and up to 50% of the PA market’s business is accident only cover. In order to try to keep things simple for everyone, especially bearing in mind that consumer wordings need to be clear on coverage, we decided to produce an additional set of clauses for accident only cover. This required only a minor change to each clause to amend the lead-in language to remove the reference to illness cover, but nearly doubled the number of model clauses at a stroke!
We have also published a travel endorsement using consumer-friendly language. This required a different approach as travel policies are generally written on a “named perils” basis and there are some areas where insurers are likely to give cyber coverage and other areas where they are likely to exclude it. There is no model LMA travel wording, so we reviewed specimen travel wordings when developing our model endorsement. We decided to publish a total cyber exclusion with write-backs for cyber causes of serious illness, injury or death, which would grant cyber coverage in three key policy areas; cancellation and curtailment, medical expenses and personal accident benefit.
Head of Non-Marine Underwriting
The full LMA model suite of PA and travel clauses:
Personal Accident & Illness
- LMA5414: Cyber Risks Endorsement (affirmative) – consumer
- LMA5415: Cyber Risks Endorsement (affirmative) – commercial
- LMA5416: Cyber Risks Endorsement (affirmative) + Exclusion of deliberate acts – consumer
- LMA5417: Cyber Risks Endorsement (affirmative) + Exclusion of deliberate acts – commercial
- LMA5418: War, Terrorism and Mass Destruction Exclusion – consumer
- LMA5419: War, Terrorism and Mass Destruction Exclusion – commercial
Personal Accident Only
- LMA5421: Cyber Risks Endorsement (affirmative) – consumer
- LMA5422: Cyber Risks Endorsement (affirmative) – commercial
- LMA5423: Cyber Risks Endorsement (affirmative) + Exclusion of deliberate acts –consumer
- LMA5424: Cyber Risks Endorsement (affirmative) + Exclusion of deliberate acts –commercial
- LMA5425: LMA5418: War, Terrorism and Mass Destruction Exclusion – consumer
- LMA5420: Cyber Risks Endorsement (exclusion with write-backs) – consumer
You can access the above clauses on the Lloyd’s Wordings Repository (www.lloyds.com/wordings).
Disclaimer: The commentary on coverage provided within this document is provided as general guidance only and does not intend to confirm the provision or exclusion of coverage within any individual insurance contract. As with all matters dependent upon the terms of the contract, each clause/ provision must necessarily be considered on its precise terms and in its specific context.
From time to time, the LMA publishes wordings and clauses as models. These models are therefore purely illustrative and are distributed for the guidance of its members, who are free to agree to different conditions or amend as they see fit. The LMA does not publish written guidelines with regard to application or intent of any specific contractual terms (unless use of such contractual terms would constitute a breach or potential breach of any law or regulation) and the LMA therefore cannot release any clause drafting history. The LMA (including all panels and working groups, which may include Joint Committees in conjunction with the International Underwriting Association (IUA)) in drafting such clauses, operates under strict terms of reference to ensure, amongst other things, compliance with Competition Law and it is for underwriters to decide whether or not any contractual language is acceptable on any given risk.