PI insurance and the risk of silent cyber exposure

In an earlier December 2022 Navigate article, ‘Cyber-crime and cyber insurance’, I noted that cyber-crime had increased massively in recent years. I pointed out that insurance was one important tool that can be used by businesses to mitigate the risks of cyber-crime.

As noted in my earlier article, cyber-crime is increasing in scale and complexity. Businesses such as law firms are particularly vulnerable to cyber-attacks because not only do they transact client funds, but they hold sensitive and confidential information such as client names, addresses and banking information.

The purpose of this article is to consider the extent to which a professional indemnity (PI) policy might respond to a cyber event. I also discuss developments in the United Kingdom (UK) due to concerns that silent (non-affirmative) cyber coverage in traditional insurance lines such as PI may result in gaps in coverage or threaten insurer solvency because an insurer must cover an unintended cyber risk, and what the UK regulators and insurance industry is doing to address those concerns.

Silent or non-affirmative cyber cover is where a traditional property or liability policy provides cover for cyber risks without expressly including or excluding such cover.

PI insurance is written on a claims-made basis covering claims while the policy is in force. It is designed for professionals to meet the risks associated with claims arising from giving advice and carrying out professional services. Typically, it provides cover for any legal liability to pay damages or compensation, together with the insured’s own costs of investigating, defending, and settling the allegation or claim.

The insuring or operative clause in a typical PI policy is usually broadly written. A typical insuring clause will provide cover for all sums which the insured shall become legally liable to pay as compensation or damages for any breach of duty arising in the performance of their Professional Business. Some policies adopt a “any Civil Liability” wording. Usually, the insured’s Professional Business will be expressly recorded in the policy schedule. Self-evidently, the wider the definition of Professional Business, the broader the cover provided by the policy.

A PI policy frequently covers a wide range of wrongful acts including negligence, breach of contract, breach of trust or fiduciary duty, misleading statements, or breaches of the Trust Accounting Rules. PI policies also often contain extensions for defamation, loss of documents and dishonesty of employees.

The wide cover provided by a PI policy is then traditionally limited by express exclusions such as EL/PL and D&O risks.

Ordinarily, a PI policy will be silent on whether it covers cyber events, but nonetheless may ‘silently’ do so, subject to any specific exclusions and endorsements, which are becoming more prevalent.

It is important that businesses appreciate that the scope of cover under a PI policy for cyber events is limited and may not indemnify loss arising from all cyber events. In particular, a PI policy does not provide cover for first party losses.

My earlier article discussed the types of cyber-crimes (e.g. hacking attacks and viruses) and the scope of cover under a typical cyber insurance policy. A cyber policy will typically provide a combination of first-party costs and third-party liability cover following a cyber event (often with specified sub-limits for each).

Cyber insurance is unique in the sense that it covers both first party and third-party losses. It was developed to address potential gaps which existed with traditional liability policies.

First party cover is for the immediate aftermath of the cyber-attack. It includes covers for responding to a breach such as access to an IT forensic expert and data retrieval and restoration.

A cyber policy will also commonly provide cover for:

• An insured’s business interruption losses.
• Third party claims for financial loss following a hacking attack, breaches of privacy obligations and the theft of commercially confidential information.

In the UK, the Prudential Regulatory Authority (PRA) and Lloyd’s of London require insurers to implement action plans to reduce unintended or unclear cyber exposures, referred to as ‘silent cyber’.

In 2019, Lloyd’s mandated that all Lloyd’s underwriters introduce policy language clarifying the treatment of cyber risks.

In around October 2021, the Solicitors Regulation Authority (SRA) consulted on proposals to make changes to its Minimum Terms and Conditions (MTC) for the PI insurance that it requires all regulated law firms to have in place. The proposal (which was subsequently implemented) was to add a clause into the MTC that sets out what is and what is not covered in the event of a firm being subject to a cyber-attack. This was in line with the expectations that the PRA and Lloyd’s have of insurers because of the increasing risk of cyber-attacks on individuals and businesses.

The amendment to the MTC allows insurers, by way of an exclusion or endorsement, to exclude liability for cyber acts, failure of computer systems, malware incidents, failure of ‘core infrastructure’ and breaches of data protection law. There is, however, an important proviso that any exclusion or endorsement may not exclude or limit liability for civil liability, defence costs or any award by a regulatory authority.

There may be some situations where a PI policy and cyber policy will both respond, which raises issues of contribution between insurers based on principles of double insurance. Examples are third party liability arising from personal privacy and data breaches, and the loss of client funds following a cyber-attack on the professional’s computer systems which may result in the professional being tricked into paying away client funds, which may also involve negligence. Otherwise, it is not always easy to determine whether the claim against a professional is properly considered to be a PI risk covered or one for the specialist cyber insurance market.

It is important that purchasers of PI insurance understand what they are insured for in the event of a loss. The UK insurance industry and its regulators should be congratulated on their aim of providing clarity in relation to ‘silent cyber’. A positive outcome is that the purchasers of PI insurance have a better understanding of what cover they have under their PI policy in the event of a cyber event. Silent cyber is problematic for insurers and insureds alike because it can result in disputes over the extent of the cover they have. A lack of cover for a cyber event could be catastrophic for a business.

The Reserve Bank governs prudential regulation of insurers in New Zealand. It has wide ranging powers under the Insurance (Prudential Supervision) Act 2010. As far as we are aware, the Reserve Bank has not taken any steps to address the risk of ‘silent cyber’ in more traditional lines of insurance.

We are seeing more insurers using cyber exclusions and endorsements in their PI policies to restrict cover for cyber events. This trend is likely to continue. However, express exclusions for cyber events are not (yet) standard in the PI market in New Zealand.

It is likely that more businesses will purchase standalone cyber risk insurance in the future because such a policy will provide much more extensive cover for cyber events than might otherwise be available under other policies.

This publication is intended as a general overview and discussion of the content dealt with. It should not be used in any specific situation, in which case you should seek specific legal advice.