IUA publishes Cyber Exclusion Clauses
Two new London Market model clauses to help underwriters manage cyber losses have been published by the International Underwriting Association (IUA). The wordings have been developed in order to address issues of non-affirmative or ‘silent’ cover, where traditional insurance policies may unintentionally suggest protection for undefined cyber risks.
Firstly, a Cyber Loss Absolute Exclusion Clause (reference: IUA 09-081) provides market participants with an option to exclude in the broadest possible manner any loss arising from the use of a computer system, network or data – each of which is clearly defined. Meanwhile, a Cyber Loss Limited Exclusion Clause (reference: IUA 09-082) enables only the exclusion of losses directly caused by cyber events, rather than ‘directly or indirectly’.
Chris Jones, IUA director of legal and market services, said: “These two new model clauses provide broad policy exclusions which may be utilised as a starting or reference point for underwriters offering cover for traditional business classes that may include an element of cyber risk. By developing class-specific write backs insurers can then explicitly state the extent of any cover provided for such losses.”
Both clauses were developed in response to concerns expressed by the Prudential Regulation Authority (PRA) about potentially unintended or unclear provision of coverage for cyber risks in various classes of insurance business. The issue was addressed by the regulator in a November 2016 consultation paper (‘Cyber insurance underwriting risk’) and subsequent policy statement (PS 15/17). Companies were urged to actively manage their exposures by considering adjustments to premium, robust wording exclusions and specific limits of cover.
Mr Jones added: “Silent cyber cover creates uncertainty for both insurers and clients and has been a hot topic in the London company market for some time now. Increasing regulatory scrutiny has, of course, further highlighted the issue, but IUA members have been considering different approaches even before it was first raised by the PRA.
“Many traditional policies were designed when cyber wasn’t a major risk and often do not explicitly mention cyber. Some high profile cyber events and losses have clearly demonstrated, however, how important it is to address.”
The two new cyber clauses are available to download, along with all IUA model clauses, from the association’s clauses website www.iuaclauses.co.uk.