IUA draft clauses to combat “silent cyber” uncertainty

The International Underwriting Association has published draft cyber loss exclusions in an attempt to combat uncertainty in “silent” cyber risk cover.

The International Underwriting Association of London (IUA) has published two draft “Cyber Loss Exclusion Clauses”, in order to seek to address the current uncertainty in relation to non-affirmative, or “silent”, cyber risk cover. The introduction of these clauses has been prompted by the PRA’s previous consultation on this issue and the general concern that there is unclear (and, often, inadvertent) provision of coverage for cyber risks within a number of classes of insurance business. The PRA has previously detailed its expectations for companies in respect of providing non-affirmative cover, most notably, placing a requirement on Solvency II firms robustly to assess and actively manage their insurance products in respect of this risk and consider the following approaches:

  1. adjusting the premium to reflect the additional risk and offer explicit cover
  2. introducing robust wording exclusions, and / or
  3. attaching specific limits of cover.

The IUA’s draft exclusion clauses can be found here.

The first is a “Cyber Loss Absolute Exclusion”, developed to provide underwriters with a tool to exclude, in the broadest possible manner, any loss, whether malicious or otherwise, arising out of the use of (or inability to use) a Computer System, Computer Network or Data, each of which are specifically defined in the clause.

The second clause is a “Cyber Loss Limited Exclusion”, which will only apply in circumstances where a “Cyber Loss” is “directly caused by” one of the stated cyber events. It, therefore, requires that a cyber event is the proximate cause of the “Cyber Loss” and would not apply in circumstances where, for example, the negligence of an employee of an insured is considered to be the proximate cause of the “Cyber Loss”, rather than the cyber event. This is likely to be particularly relevant in respect of social engineering scenarios, in which an employee has been duped by a third party into taking a particular course of action, which constitutes negligence on the part of the Insured.

The IUA have acknowledged the broad nature of these exclusions and recognise that underwriters may wish to use them as a starting point. In this regard, they also contemplated a write back provision in the event that underwriters wish to provide certain aspects of cover for cyber losses.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.