Skip to main content
Article

Cyber v Professional Indemnity (PI)

Regulatory Edition – Silent Cyber

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)|Insurance Consulting and Technology
N/A

By Hollie Mortlock | May 7, 2021

This article discusses what the focus of silent cyber may mean for financial institutions and their PI insurance.

Silent cyber, otherwise known as non-affirmative cover for cyber risk events, has been the focus of many brokers, insurers and regulators. But what does it mean for financial institutions who purchase professional indemnity (PI) insurance policies?

Background

Over the past decade or more, the cover afforded by PI insurance has expanded, largely driven by a very competitive insurance marketplace. As coverage expanded, and the frequency of cyber-related incidents increased, financial institutions turned to their PI policy for reimbursement of costs and expenses, as well as possible payments of damages to third parties. Then, as the relatively new cyber insurance market developed, and with that broader coverage for cyber-related losses, some financial institutions also began to purchase cyber insurance.

With broad coverage and no specific cyber exclusions in PI policies, and broad coverage also available under cyber policies, this gave rise to uncertainty as to which policy should respond first in the event of a cyber-related incident. The Prudential Regulation Authority (PRA) raised concerns about the scope of cyber cover in traditional non-cyber policies and the uncertainty, and published a statement in 20171 setting out their expectations for insurers to be more transparent. The statement focused on insurers ‘actively managing non-affirmative (‘silent’) cyber risk’.

In 2019, after examining the results of a follow-up survey to the 2017 statement, the PRA issued a ‘Dear CEO letter’2 to all specialist general insurance firms regulated by the PRA outlining the outcome of the survey and how the PRA would be monitoring the situation closely. They would also be coordinating with Lloyd’s markets to agree any follow-up actions in relation to Lloyd’s managing agents. Thereafter, Lloyd’s issued a Market Bulletin3 informing all Lloyd’s insurers that all policies are “to be clear on whether coverage is provided for losses caused by a cyber event.”

Regulatory investigations

With regulators having a more active presence, targeted regulatory investigations regarding firms’ business practices or conduct of individuals were becoming more common4. Does this mean the PI policy should respond if, for example, a financial institution suffers a data breach and the regulators launch an investigation? With coverage for regulatory investigations under PI policies often quite broad, one may find the cover is available. However, some insurers felt that the premium charged for PI insurance did not adequately reflect the broad coverage and expectation for cyber-related matters to be covered.

As part of the PRA’s dive into the matter of uncertainty and scope of cover, and the bulletin issued by Lloyd’s, the London Market Association released a number of clauses to be added to specific financial lines policies, which either affirmed, or excluded, losses arising from cyber-related events. Some insurers have taken the initiative to manage their cyber exposure by insisting on adding the clause to PI policies which specifically excludes regulatory investigations arising from a ‘cyber act / cyber incident’. What does this mean for policyholders who purchase PI insurance going forward? Does this mean cover for cyber-related events may now be excluded under PI policies and there are now potential gaps in cover?

Some insurers have taken the initiative to manage their cyber exposure by insisting on adding the clause to PI policies which specifically excludes regulatory investigations arising from a ‘cyber act / cyber incident’.

Conclusion

With the regulators insisting on adding more clarity to policies by affirming or excluding cyber coverage, could this have brought more, rather than less, uncertainty for financial institutions in respect of existing coverage under their PI policies? Has this now increased the need for all businesses to buy a cyber policy? With insurers now actively addressing the perceived overlaps in coverage between cyber and PI insurance, talk to Willis Towers Watson on how we can help you navigate these hurdles.

Footnote

1 https://www.bankofengland.co.uk/prudential-regulation/publication/2017/cyber-insurance-underwriting-risk-ss

2 https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results

3 https://www.lloyds.com/~/media/files/the-market/communications/market-bulletins/2019/07/y5258.pdf

4 https://www.fca.org.uk/publication/annual-reports/annual-report-2019-20.pdf

Author

Head of FINEX Financial Institutions Product Development

Contacts

Global Head of FINEX Financial Institutions

GB Head of FINEX Financial Institutions

Contact Us