Cyber Insurance: Variety in cyber
With cyber insurance a relatively new market, issues are arising in various areas – many from the non-standard wordings in policies themselves.
Perhaps the most talked about British Insurance Law Association event of the last five years was the cyber mock trial in 2011, put on jointly with the Professional Liability Underwriting Society. This was held at the Royal Courts of Justice before Lord Justice Aikens, with participation from top QCs, cyber insurers, brokers and experts, including Tom Weitzman QC, Michael Douglas QC, Rick Welsh of Aegis Insurance, David Nayler of Aon, Christine Williams and myself.
The impetus behind the event was that cyber insurance was relatively new to the London market and there was no established body of decided case law to act as a guide on how cyber wordings – which varied considerably in terms of both drafting approach and coverage breadth – might be interpreted.
Three years on, there remains a large degree of variation between wordings and as yet little standardisation. This contrasts with professional indemnity wordings for many specialisms where minimum terms apply.
Body of experience
What has perhaps changed is that an increasing body of experience is being built up as a result of cyber-related issues being encountered on a regular basis in legal and insurance practice.
As insurance lawyers and claims specialists, we are seeing cyber issues arising in many different areas, including a number of issues stemming from the wordings themselves. Such general issues include policies that give cyber cover unintentionally, bolt-on cyber extensions in PI, other general liability policies that do not offer the cover that might have been intended, cyber products that are giving broader cover than the underwriters intended and post-inception endorsements that simply make no sense.
Some of these issues stem from the fact that wordings have not been tried and tested over the course of many years under English law. There are a number of other issues, for example: as more entrants come into the market, wordings are frequently cut and pasted from more experienced competitors and in the process mistakes can happen; sometimes it is just a case of plain bad drafting – for example, clauses that should go into the insuring clauses ending up in the definitions and vice versa; US wordings are being imported without modification other than to the choice of law, so the cover does not work as insurers and insured expect when analysed under English law; and often it is a case of typographical errors or inconsistencies in the policy, such as expressly covering business interruption but then naming it in the exclusions.
Part of the problem is that cyber is covering highly complex and fast developing systems, technical concepts and risks. Issues can also be caused by IT jargon that, unlike established legal and insurance terminology — for example, ‘condition precedent’, ‘warranty’ and ‘avoidance’ – does not always have a definitive meaning.
Jargon can change and does not necessarily have an easily understood meaning for legal and claims professionals or insureds. For example, the expression ‘improper deep linking and framing’, which has been used in policies, is not necessarily going to be understood by anyone reading a cyber policy or seeking to establish the cover provided in a subsequent court action.
Often the inclusion of such terms is in direct reaction to a specific case that occurred at the time early US cyber policies were developed, such as with the 1997 Ticketmaster v Microsoft case relating to deep links.
‘Dearrangement’ is another example, as is the ambiguous term ‘wrongful collection’, which arose in policies largely in response to US claims under the Song Beverly Credit Card Act and related to collection of postcodes at the retail point of sale, but could be interpreted much more broadly.
Incoming Bila deputy chairman, David Nayler, head of the financial and professional services legal and claims practice at Aon, says: “It is incredibly frustrating and disappointing that a number of current off-the-shelf cyber product offerings contain errors in the wordings on simple insurance issues that have already been litigated, clarified and settled in other classes of insurance, and that often amendatory endorsements are needed to fix these basic issues”.
The top specialist cyber underwriters may be technically expert and the best wordings can be models of clarity – but these seem to be the exception, not the rule.
The other point is that data protection, privacy and cyber-related issues are rapidly changing areas of law. It is important that wordings should keep abreast of legal developments and that is not always the case. Further, insurers are keen their products should be at the forefront of developments and keeping the competitive edge means wordings must evolve too. Such evolution is necessary in a fast-paced insurance market, and more so when dealing with a risk exposure that is also developing so quickly.
Of course, disputes can arise even on the best drafted wordings, but clarity of meaning and accurate drafting remains the best way to eliminate uncertainty and litigation. Over time, such basic errors as mentioned earlier should become a thing of the past as experience increases and wrinkles get ironed out with use.
Just as issues are arising under cyber wordings, other claims are also arising, such as claims against brokers for not arranging cyber cover that works when the claims arise, and against the law firms where insurers relied upon advice on the drafting of their offering.
Cyber bolt-ons to non-specialist policies – or other off-the-shelf products – may seem attractive due to cost and because they apparently satisfy the requirement to have cyber cover in place, but they may not provide the level of protection envisaged and could leave the business exposed. There have also been some reinsurance issues where the cyber bolts-ons have not fallen within the insurers’ PI treaty and so the losses are not reinsured.
As is well known from cases like TK Maxx, Sony, and Heartland, cyber losses can be enormous. If a policyholder makes the decision to purchase cover, it is important for the reputation of the product, the broker, the insurers and for the insured’s balance sheet, that the cover works.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.