The Challenges of Affirmative Cyber Language

09 December 2019 | 5-minute read

Since the publication of Lloyd’s Bulletin Y5258 in July we have been working hard to produce model policy language to help our members (the managing agents at Lloyd’s) to address the evolving nature of cyber risks and exposures. The LMA supports the policy ambitions of the PRA and Lloyd’s in this area; clarity of coverage for the benefit of clients, brokers and insurers. The LMA has already published several model cyber clauses including exclusions and exclusions with write-backs, and others are currently in development. Adding affirmative policy language is a different matter and presents significant difficulties, which is why we continue to engage with managing agents and Lloyd’s to try and ensure there are no unintended consequences arising from the Lloyd’s requirements. The problems that could arise from a rush to affirmation, without careful consideration, are potentially severe. 

Lloyd’s has confirmed that affirmative policy language will be required on Lloyd’s policies written on an “all-risks” basis, where cyber risks are not excluded. The non-marine lines fall into my remit and discussions with underwriters have already started; how do they want to deal with this issue?  

Underwriters’ first concern is to avoid unintentionally broadening the cover, especially regarding the risk of new affirmative language negating important exclusions. This is going to be tricky. “All risks” policies don’t specify individual perils – that’s the point. Any peril that causes an insured loss is covered, so there is a good argument that these policies do not require specific affirmative language, as coverage for all perils is already provided. However, we can add policy language to try and confirm that a loss arising from a cyber event that triggered a covered peril (e.g. a software error that caused a machine to explode, causing a fire) would be payable. But what happens when the cyber event that is now covered takes the form of (for example) a terrorist act, which is not covered because it is specifically excluded in a subsequent section of the policy? This is a critical issue as many non-marine lines of business exclude key risks such as war, terrorism and nuclear & radioactive contamination. There is no intention to give such coverage, whether the loss results from a cyber trigger or by more conventional means. 

The above concerns are leading to careful drafting to try and ensure that any affirmation of cyber coverage on an “all risks” policy does not exceed the coverage previously provided and is always subject to the terms, conditions, limitations and (especially) the exclusions. There is a risk of upsetting the balance of an “all risks” policy; all risks are covered unless they are specifically excluded. This approach also introduces something of a paradox. Even the most carefully drafted affirmative clause is otiose; it doesn’t actually do anything. It would be a logical short-circuit to state that if a cyber event triggers cover that already exists in the policy, the insurer will pay, but no additional cover beyond that is provided. In other words, if the clause was removed there would be no effect on the operation of the policy. (I was taught to remove such clauses, not add them in!).  

This also brings us to another difficulty to overcome; how will clients (and their agents) interpret the new language, given they may have reasonably assumed that “all risks” cover includes cyber events (unless they are specifically excluded)? Why aren’t other perils also being affirmed? The confusion that the above drafting might cause also creates the scope for opportunistic claims, especially in jurisdictions that apply the contra proferentum principle in contract law (that construes any ambiguity against the drafter). These jurisdictions include the UK, the US and Canada (for example), accounting for the vast majority of contract law applying to Lloyd’s business. Careful drafting and discussions with broker and clients will be important in militating against these risks. 

We have also grappled with the perennial problem of how to define cyber risks. The PRA and the Corporation of Lloyd’s have adopted an extremely broad definition, which is more suitable for regulatory purposes than contract drafting. (It also uses the term “cyber-related” in its own definition of cyber risk; another thing I was taught not to do). The LMA has produced many model wordings in recent years that define various cyber “events”, “incidents” and “acts”, and whether these are malicious or accidental, or arise from inaction, errors or omissions. We have defined cyber losses, software, data, computer systems and denial of service attacks and these concepts will continue to evolve. Ultimately, we will need to develop terms that address the risks faced by each class of business, possibly down to an individual product level. We have sought to achieve this for the lines of business that must have new wordings in place by 1/1/2020, and we are already working on the remaining lines of business that will need to comply with Lloyd’s requirements in the future.  

This brings me to the last problem we have encountered (so far); the approach proposed by Lloyd’s is not one that has been adopted universally across the insurance market. Managing agents that seek to comply with Y5258 by excluding cyber risks could find themselves at risk of being replaced on business where competitors are prepared to remain non-affirmative. Similarly, introducing contractual uncertainties, in the form of problematic affirmative clauses could be exploited to the detriment of Lloyd’s. Either option is unpalatable and risky, especially as the PRA permits addressing cyber risks by a wide variety of means, not just changing policy language. However, the course has been set and we will endeavour to assist our members in meeting the requirements of the Bulletin. 

Published: 09 December 2019

David Powell
Head of Technical Underwriting

View Profile